A Bug in Steam, Which Was Recently Patched, Could Have Given Users Access To Activation Key of Any Game (zdnet.com) 19
Ukrainian vulnerability researcher has found a bug that would have allowed him to download all the activation keys (also known as CD keys) made available through the Steam gaming platform, for any game, ever. From a report: Discovered by Artem Moskowsky, the bug resided in Steamworks, a platform that Valve runs to help developers with building and publishing games via its Steam gaming client. Moskowsky found the bug in a Steam web API located at partner.steamgames.com/partnercdkeys/assignkeys/. This is the API that lets game developers or affiliates retrieve CD keys made available to Steam users so their customers can activate a game installed via the Steam client. This API is accessible using a regular Steam account and takes several parameters, but the ones most relevant are appid (representing the game), keyid (representing the identifier of a set of CD keys), and keycount (representing the number of CD keys that Steam needs to return inside a CD key set).
A Bug In Slashdot Gives AC Access to First Post (Score:1, Funny)
exploited, m'gentle ladies
But without auditing? (Score:2)
Do we really think that usage of that API wouldn't have been audited though?
Re: (Score:1)
Only if some dumbfuck downloaded them all at once, sure.
But if you downloaded them in random chunks at a time, it would seem like regular usage patterns on the server logs.
Whether they have a system in place to alert if, say, money coming in wasn't equal to the keys going out, or something along those lines, is another question.
A lot of people overlook usage patterns in their APIs, usually leaving algorithms to deal with it.
But you can cheat a lot of algorithms in the right ways if you trial-and-error infor
Re:But without auditing? (Score:4, Insightful)
A criminal would grab thousands of keys for full price AAA titles and sell them on grey market sites for a quick profit, they wouldn't care if the keys got revoked after an audit.
No thanks to free stuff (Score:5, Insightful)
Re: (Score:3)
Valve is basically funding DXVK, a low-level Vulcan based translation layer for Direct3D 10/11.
Their work with Proton (Steam version of Wine) is amazing and they have made amazing progress the last few months. Thousands of games are now available through "Steam Play" via Proton and DXVK.
Valve isn't making any of those "hentai dating sim visual novels" you speak of.
Re:Agree (Score:2)
Re: (Score:2)
Steam have got more than just a little douche baggery, allowing developers who sold you the game, to force downgrades after buying the game, to sell DLC matched to that downgrade. Steam is now chasing the developers to screw over the users, rather than the other way around. I have stopped buying on Steam to take back control of game upgrades to block install of shitty downgrades, worse to date, Paradox and Stellaris. Watch you game be forced upgraded to now serve you publisher ads and slowed down applicatio
Re: (Score:1)
Re: (Score:2)
I would not touch Steam, until the user gets to choose which patches to run the game with
You've had the ability to avoid patching your Steam games for around a decade now.
That's not quite selective patching but effectively operates the same way, given patches generally have a dependency relationship. If you skip one you mostly aren't getting later ones whether you're on Steam or not.
Re:Game developers (Score:2)
Did he get any keys as a reward? (Score:3)