Steam Wallet allowed you to enter your own amount
A vulnerability was just fixed in Steam Wallet, where you could enter your top up amount and pay only 1 US$
Published: 30 Aug 2021
DrBrix reported a Steam Wallet vulnerability to Steam over on hackerone [↗]. Where you could change the amount you received into your wallet
Pay US$ 1 to Steam Wallet and then you could change how much money you got in return, by intercepting the post value sent and changing your email to include balance100 (or the amount you wish to receive)
DrBrix provided a detailed step by step instruction, over at hackerone and Valve was able to close the issue. Valve increased the severity from Medium to Critical and provided DrBrix with a bounty of US$ 7,500
Thank you for this report. This was clearly written and helpful in identifying a real business risk. We have changed the severity assessment to Critical, reflecting the potential cost to the business, and applied a bounty accordingly. We hope to hear more from you in the future.
JonP, Valve Staff
We sometimes publish affiliate links and these always needs to follow our editorial policy, for more information check out our affiliate link policy