the researcher was able to generate a valid transaction hash by adding the separator characters back into the payload.

The issue was reported to Valve Software, and they have fixed it in version 2.0 of their API (released on July 31, 2021). The vulnerability is registered as CVE-2021-34642 and is currently waiting for classification.

Lessons learned here:

Validate input parameters for security flaws like this one that can lead to money being generated out of thin air or other types of attacks. In this case, we saw an example of OWASP A9 Sensitive Data Exposure Through Query Strings . Validate all inputs before using them in calculations — especially when dealing with user data

Back to Main