【转载】【漏洞分析】Critical Valve Bug Lets Gamers Add Unlimited Funds to Steam Wallets

A security researcher helped Valve, the makers of the gaming platform Steam, plug an easy-to-exploit hole that allowed users to add unlimited funds to their digital wallet. Simply by changing the account’s email address, the exploit allowed anyone to artificially boost their digital billfold to anything they wanted.

一位安全研究人员帮助游戏平台 Steam 的制造商 Valve 堵住了一个容易被利用的漏洞,这个漏洞允许用户向他们的数字钱包中添加无限的资金。仅仅通过改变账户的电子邮件地址,这个漏洞就可以让任何人人为地把他们的数字钱包提高到他们想要的任何东西。

Steam Wallet funds are exclusive to the Steam platform and are used to purchase in-game merchandise, subscriptions and Steam-related content. Valve restricts Steam credits (or money) from being transferred outside its network for purchase or trading. However, there are several unsanctioned ways to convert wallet funds into actual dollars.

Steam Wallet 基金是 Steam 平台的专用资金,用于购买游戏中的商品、订阅和 Steam 相关内容。Valve 限制 Steam 信贷(或货币)在其网络之外进行购买或交易。然而,有几种未经批准的方式将钱包基金转换成实际的美元。

Working for the HackerOne bug-bounty program, security researcher DrBrix, reported the bug last Monday. By Wednesday, Valve plugged the hole and paid DrBrix $7,500 for identifying the bug.

安全研究员 DrBrix 上周一报告了这个漏洞。到了周三,Valve 堵住了漏洞,并支付给 DrBrix 7500美元来识别漏洞。

The Hack: Turning $1 into $100 or $1M

黑客: 把1美元变成100美元或100万美元

The bug, which has since been patched, was exploited by abusing Valve’s own application programming interface (API) used to communicate with the third-party web payment firm Smart2Pay, owned by Nuvei.

这个漏洞后来得到了修补,但它被用来滥用 Valve 自己的应用程序编程接口(API)来与 Nuvei 旗下的第三方网络支付公司 Smart2Pay 进行通信的做法所利用。

According to DrBrix, the hack allowed an attacker to intercept the POST request sent from Valve to Smart2Pay. This was done via modifying the Steam user’s email address used by Smart2Pay as it passed through the Valve API.

根据 DrBrix 的说法,黑客可以拦截 Valve 发送给 Smart2Pay 的 POST 请求。这是通过修改 Steam 用户在通过 Valve API 时使用的电子邮件地址完成的。

“Firstly you will have to change yours steam account email to something like (I will explain why in next steps, amount100 is the important part): brixamount100abc@█████,” the researcher wrote.

研究人员写道: “首先,你必须把你的邮箱改成类似于(我会解释为什么接下来的步骤中 amount100是最重要的部分) : brixamount100abc@gmail。

This allows the attacker to manipulate communications between Valve and Smart2Pay, circumventing the cryptographic hash used to protect transaction data.

这允许攻击者操作 Valve 和 Smart2Pay 之间的通信,绕过用于保护交易数据的加密散列。

“We can’t change parameters as there is Hash field with signature, however signature is generated like that hash (ALL_FIELDS_NAMES_VALUES_CONTACTED),” DrBrix wrote. “So with our special email we can move parameters in a way that will change amount for us.”

DrBrix 写道: “我们不能改变参数,因为存在带签名的 Hash 字段,但是生成的签名类似于 Hash (ALL _ fields _ names _ values _ contacted)。”。“因此,通过我们的特殊电子邮件,我们可以移动参数,这将改变我们的数量。”

Where the Valve parameters might be,

阀门参数可能在哪里,

“hash(MerchantID1102MerchantTransactionID█████Amount2000…..)” the attacker can turn $1 into $100 simply by changing the format of the email request.

攻击者只需改变电子邮件请求的格式,就可以将 $1变成 $100。

“So with our special email we can move parameters in a way that will change amount for us. For example, we can change original Amount=2000 to Amount2=000 and after contacting it still will be Amount2000. Then we can change email from CustomerEmail=brixamount100abc%40████ to CustomerEmail=brix&amount=100&ab=c%40█████████ by this we are adding new field amount with our value,” DrBrix wrote.

Valve first rated the bug as of moderate importance. However, after investigating, it escalated the bug to critical in nature, scoring it “9-10”, with the highest possible rating 10.

阀门首先将这个漏洞评定为中等重要。然而,在调查之后,这个漏洞升级为本质上的严重漏洞,得到了“9-10”的评分,最高可能的评分为10。

Valve did not return a Threatpost press request for comment.

Valve 没有回复威胁邮报的置评请求。