Over the summer, a security researcher discovered a flaw in Valve's Steam distribution service which allowed anyone to generate activation keys for any game on the platform, essentially letting you play any of them for free. Artem Morkowsky discovered the bug in an API that's part of Steamworks, a platform which developers can use to get help publishing their games on Steam.

The API in question can be found at partner.steamgames.com/partnercdkeys/assignkeys/, and it's meant to be used by developers to allow users to activate Steam games. In normal situations, a user wouldn't be able to get keys for games they didn't own, but using specific parameters for the API, one could get access to keys for any game, even ones they didn't own. Morkowsky managed to generate and download 36,000 keys for Valve's own Portal 2 game but also found out that it could be used to find keys for any title by finding the right parameters.

The bug was reported back in August and Morkowsky earned $20,000 for reporting it, though it's not clear how long it may have been there - or if anyone exploited it - prior to being discovered. Valve was quick to fix the flaw, but it was only recently that the company allowed the researcher to publicly disclose it.

Source: HackerOne via ZDNet