>find security issue in Steam 2 years ago where you can make purchases on a Steam account without verification if the user has PayPal or Credit Card info saved
>this means all someone has to do is get another user's session to be able to make purchases on paypal or creditcard
>report it to Valve's head of engineering
>they fix it a few months later by making people sign in again before finishing a purchase
>now this happens, active sessions getting assigned to random people
>tfw I literally saved millions of steam users from having their paypal and CCs emptied by reporting a vulnerability I found 2 years ago.
You're welcome guys
t-thanks
thanks op
Thanks based nigga
Thanks. But I have -88 dollars in my paypal account. So no worries.
Thanks OP
>>3214383>>321438303
OP is a faggot
>no payment info saved
>less than 50 cents in steam wallet from selling cards/crates/skins
>two factor authentication enabled
Let morons reap what they sow
i-i knew i shouldnt have saved my credit card t-thanks op
>>321438303
>not getting any profit from saving shitty corporations billions
Thanks, but you are a huge faggot if you didn't profit the fuck out of that.
>>321440265
I was taught not to seek compensation for reporting vulns or it'll open me up to legal action, unless the company has a bug bounty program which Valve doesn't.
uh-huh, sure you did.
Hey anons, I'm Gaben! I'm here to let you know that I in fact am Gaben. Yes, thats right, the one and only.
>>321441256
I'm on mobile atm but here's a snippet of my email to Valve.
>>321441782
sweatingman.jpg
>>321441782
>Ubuntu bypasses steam guard
wat
you are my batman
>>321441782
>>321438303
i have no idea what any of this shit means but good on you
idk what this means but im safe right?
>>321445282
Yea, the "other levels of authentication" he mentioned after I emailed him back for a follow-up basically meant you had to manually log in with your username and password again before transactions can be completed.
>>321438303
*sends karma*
gj bro (:
>>321445908
Which means just having access to another user's session, which is what appears to be happening, won't let you make purchases on their paypal or credit card.
>>321438303
You got a username bro? I'll buy you a game.
>>321438303
if youre being honest you can have a game from me
>>321438303
>>they fix it a few months later by making people sign in again before finishing a purchase
>>321445908
>basically meant you had to manually log in with your username and password again before transactions can be completed.
You knowingly lied to us and in fact did nothing, why?
>>321445908
>>321446173
fuck thanks bro
W-what happened?
>>321446857
I would say lied but he does seem to contradict himself.
>>321438303
>>321441782
Thanks bro.
>>321438303
Thanks bro.
>>321446857
What do you mean? For all I know they could've already had it in the pipeline to require resignin before finishing a purchase but at the time they didn't.
I tested it using my own steam account by hijacking my session on a PC I've never logged into before and was able to bypass Steam Guard and make purchases on it without ever having to log in (type name/pass).
I reported that. And a few months later I emailed Valve again asking for a follow up and that was the reply they gave me. And when I tested it again, I was stonewalled by a login screen on my attacker machine, which meant it was fixed.
>>321446458
>>321446793
Sure if you guys want to, http://steamcommunity.com/id/hyzzy/
>>321447552
Oh, so they basically said it was there the whole time and just sneakily put it in?
Well, thank you for helping us all. What kinda games do you like?
>>321441782
Back on my computer.
Here's the full email of the report I sent before. The highlighted portion is the main thing that Valve fixed after my report as you now have to sign in again before completing a transaction.
So if your steam session is stolen, your funds should still be safe as the attacker does not have your password.
>>321447772
Still not sure what you mean, but the fact that Valve made it so that you MUST sign in again before purchasing is what's keeping others from making unauthorized purchases on your account.
I was eyeballing 7 Days To Die or that new RTS game from Stardock but haven't pulled the trigger yet.
>>321449096
>deleted my paypal details from steam a week ago
thank the lord
>>321438303
I am a virgin girl but I've been told that I'm cute, can I do you a sexual favor perhaps?
>>321449096
Huh. Cool. Nice going there, anon.
>>321449096
>Sent from my Boomerang
>>321449096
did they at least refund you for the game you bought?
>having secrets of the magic crystal in your library
>>321449096
>6/28/14
>>321450136
Yea got my dates confused, not exactly 2 years ago. But still.
>>321450086
Nope, just ended up trading the games away for TF2 keys so I could trade those for games I want in the future.
You're a cool guy OP
>>321449096
Never stop fighting the good fight
Need more white hats around here
>>321450086
>tfw buying secrets of magic crystals to my steam friends every sale
>one of them buys it to me
>>321438303
Thanks, dude. You're a cool dude/gril.
Bring this to valves attention maybe they'll hire you.
>>321438303
You did get some kind of compensation right?
At least some free games or something.
>>321450867
>anon can't read
>>321451068
Nah, but it's alright I just used it as a learning experience and I had fun doing it.
>>321449096
HE
DID
IT
FOR
FREE
>>321451068
He shouldn't have. That'd be something like ransom. Don't put your trust into these guys all willy nilly man, if they can access a vulnerability like this they sure as fuck can sell/give it to a hacker.
>>321449096
Good job man.
>>321451304
Same anon here. Sorry OP didn't mean to discredit you. You're a good man. <3
>>321449096
Noice
>sent from my boomerang
>>321438303
Fuck you OP. I could have sued the shit out of them.
Nah but for real thanks.
>>321438303
>google old email address 7 years ago
>gawker has everyone who has ever signed up for their website in plain text on a page with their emails and username
>send them an email to inform them
>they reply with a snide remark
>say fuck if I care I never used the e-mail address anyways
>literally save no one from anything
>>321451693
>Gawker
aren't they going assfucked by the courts right now for that exact reason?
>>321451989
no, they might get assfucked because the hulkster got mad
>>321451290
Worse, he PAYED to do it!
>>321449096
>Sent from my Boomerang
phone brands are starting to get ridiculous
>>321440265
That's called blackmail you retard
>>321451290
>>321452104
OP here.
kek, you guys are actually right.
>>321438303
OP! AH AHHHH! SAVIOR OF THE UNIVERSE!
Security researcher here
This guy >>321452161is right and what OP did was the safest thing he could've done. You can't just contact a company and say "i have a bug, give me something and I'll tell you what it is" without getting lawyers on your ass. It's dangerous. The best thing to do is to just report it and hope the company is nice enough to give you something in return
>>321450623
>>321452785
>mfw there were white hats near me
>>321447552
http://steamcommunity.com/id/hyzzy/wishlist
this your wishlist OP?
don't mind me
>>>/g/52055843
>>321453669
yes
>>321454079
also https://twitter.com/SteamDB/status/680528031761481728
Issue was read only, not a happening. Time to go home lads.
>>321438303
Based OP, the world needs more people like you
>finally get back into account
>last purchase is killer is dead which I bought during the thanksgiving sale
>check paypal
>nothing, still unlinked just to be safe
I think I survived, but knock on wood and all that.
>>321454369
>Rustle Avatar
NOOOOOOO
>>321454664
>>321447552
>>321453669
>TESO
>>321438303
Thank you for your service.
>>321454885
I-It looked fun in youtube gameplay videos ;_;
OP here.
It seems that it was just a caching issue where people were being served pages cached for other users. At worst you could navigate to the user info page and see their emails and the last 4 digits of the credit card, but you couldn't actually do anything with the person's account. It was not a session-related bug.
>>321449096
>Sent from my Boomerang
I didn't know Steam Support hired Australian
>>321438303
You just saved Christmas, anon!
>>321457008
Isn't the creator of TF2 Australian?
>>321457690
That would explain why the game is such unplayable shit.
>>321450703
>tfw that's why I have SotMC as well as Bad Rats, among plenty of other "why the fuck is this even on Steam" games
>>321438303
>mfw paysafecard
>>321449096
>I've forward it
This is the caliber of employee Valve hires