7.5k$ seems very low for this vulnerability.... That guy could have used it to generate millions, then bought csgo skins and could have cashed them out on a third party site into real money....
Very interesting, but how did the researcher know that the hash was being generated by concatenating the parameters and values? You said steam was not open source, and you also wouldn't be able to test possibilities to see if the match because you don't have secret key
Steam is not but some plugins to Smart2Pay are available on GitHub. For example, when preparing to this video, I was reading this project: github.com/Smart2Pay/opencart1564 Funny thing I've noticed in this outdated one: github.com/Smart2Pay/magento Here, the hash was generated without any secret😂
Haha what a fantastic clever bug! Such a little change yet big impact. Really shows the importance of reading docs for third party software incorporated by your target.
There's always this discussion. The bounty paid often doesn't equal potential losses for the company. But the sad truth is that looking from the program perspective if there are hunters who are willing to dedicate their time, knowing what bounty they will potentially get then payouts are enough. Basically hunters vote with their time if payouts are good enough or not.
@@BugBountyReportsExplained I know it is. I am very new to all of this and it makes not much sense to me, just wanted to know some very basic safeguards as to how a company can defend itself(back track bug etc).
Ah, that's a good question then. They should have a way to track it. For one, they could compare the amounts of all completed transactions in the Steam's database and Smart2Pay's database. There might also be another, easier way for that - it depends on the specific logging of these transactions.
How to start on bug hunting? What do I need to learn/skills that I need? For example, Google opened a bug bounty program for Android 12 on Pixel 5, 4, 4A, 3 device, etc. Do I need to buy the phone to perform the pentest? Is pentesting similar to bug hunting? Edit : and the tools?
I was wondering, too. I can't say for him but when preparing to this video, I was looking at the source code of signature generation from one of the open source Magento plugins for Smart2Pay: github.com/Smart2Pay/opencart20/blob/master/catalog/controller/payment/smart2pay.php#L518 The link leads to the line where the signature is created and above is the for loop that splits the body by & and = and concatenates.
Hello! Welcome to the comment section. If you want to get access to hands-on labs, along with many other benefits of BBRE Premium, click here: premium.bugbountyexplained.com/ To get 25% off, use the code AMOUNT100
just great as always 👌👌👌. So it's basically like abusing an API to manipulate arguments like http content. I am actually trying to discover some bugs with mobile applications. But I am stuck at the point to what tools can analyse most of the protocols other than http interceptors like burp or zap. where can I find such tools and documentations of such tools?? cuz I think that most undiscovered bugs lie in those uncommon communication protocols (for example I know that WhatsApp for example uses a unique protocol created by the WhatsApp team, but don't know how to intercept it)
you can use Wireshark to analyse traffic but I don't think you will be able to intercept it and modify in flight. It will be hard to find a tool ready for custom made protocol. You can also go the other way. Instead of intercepting the message after it leaves WhatsApp, try to attach to the application and modify messages like that. I'm not an expert when it comes to these things but tools that come to my mind for that would be frida or gdb
@@BugBountyReportsExplained yeah I actually heard once about frida in a conference talk, maybe it is the way to go. as completely reverse engineering a program to manipulate messages is still out of my league 😂. thanks bro and keep up the good work 👌👌
Great video. Its always a pleasure watching your videos. Bug hunting requires critical thinking or analysis of events. I'm looking for a mentor in this field. I completed my CEH practical last year but i guise there is a lot a i need to learn from experts
@@peterchari3839 it depends but mostly oscp ,sans but not sure nowdays they seems lookin for projects ,bug report,any website or something to enhance your profile when you lookin for job.
No one will report such a vuln for just $7500 on steam, Gabe Nice Job.
7.5k$ seems very low for this vulnerability.... That guy could have used it to generate millions, then bought csgo skins and could have cashed them out on a third party site into real money....
I was just thinking the same thing.
A 7,500 dollar payout for a bug that could've costed steam millions.
He would have been sued for sure if he would have do that
Great video, i think US$7.500 is a cheap reward for the magnitude of the vulnerability.
exactly what i was thinking man . ppl got 30000$ for admin account takeover . how is this getting 7500 only ? steam is cheap as hell
They will learn , when someone sell the vulnerability in dark web for thousands of dollar
@@eggman2543 that when they get in to trouble do not mess in dark web if you think in long term
@@soksamnang2150 ss
this will hurt steam in a long run I think, dude only got 7500$ for an exploit that literally steals money, next one won't be reported
What a simple but brilliant approach. Great explanation.
Very interesting, but how did the researcher know that the hash was being generated by concatenating the parameters and values? You said steam was not open source, and you also wouldn't be able to test possibilities to see if the match because you don't have secret key
Steam is not but some plugins to Smart2Pay are available on GitHub. For example, when preparing to this video, I was reading this project: github.com/Smart2Pay/opencart1564
Funny thing I've noticed in this outdated one: github.com/Smart2Pay/magento
Here, the hash was generated without any secret😂
@@BugBountyReportsExplained Oh cool, makes sense. Thanks for the info
@@J0R1AN Interesting thinking, well done..
Haha what a fantastic clever bug! Such a little change yet big impact. Really shows the importance of reading docs for third party software incorporated by your target.
So he had the ability to get unlimited funds on the biggest game platform in the industry and he sold the ability for 7500
Isn't 7500$ very less for this bug ?? What do you think ?
There's always this discussion. The bounty paid often doesn't equal potential losses for the company.
But the sad truth is that looking from the program perspective if there are hunters who are willing to dedicate their time, knowing what bounty they will potentially get then payouts are enough. Basically hunters vote with their time if payouts are good enough or not.
woah so cool, thanks for the detailed explanation!
Out of technical curiosity...does anyone know if they can track the generated money where it went? or will they?
The bug is fixed already.
@@BugBountyReportsExplained I know it is. I am very new to all of this and it makes not much sense to me, just wanted to know some very basic safeguards as to how a company can defend itself(back track bug etc).
Ah, that's a good question then. They should have a way to track it. For one, they could compare the amounts of all completed transactions in the Steam's database and Smart2Pay's database. There might also be another, easier way for that - it depends on the specific logging of these transactions.
@@BugBountyReportsExplained Add in title, "OUTDATED" bet they patched because of this vid
How to start on bug hunting? What do I need to learn/skills that I need? For example, Google opened a bug bounty program for Android 12 on Pixel 5, 4, 4A, 3 device, etc. Do I need to buy the phone to perform the pentest? Is pentesting similar to bug hunting?
Edit : and the tools?
start learning with portswigger's websec academy. Don't worry about mobiles yet. pentesting is somewhat similar to bug bounty. learn burp suite
big brains bro... good job great explanation
Great explanation.some serious logical thinking by the researcher
even italy can do it this? i think it's cheap
Wondering how the researcher figured the hash....Great video.
I was wondering, too. I can't say for him but when preparing to this video, I was looking at the source code of signature generation from one of the open source Magento plugins for Smart2Pay: github.com/Smart2Pay/opencart20/blob/master/catalog/controller/payment/smart2pay.php#L518
The link leads to the line where the signature is created and above is the for loop that splits the body by & and = and concatenates.
Nice found. It seems that Steam does not take care about security, how can they just pay 7500 for this bug?
oof tfw you traded literally infinite money for $7500
How could one subscribe without a credit card?
It's not possible at the moment. What payment method would you like to use?
@@BugBountyReportsExplained Paypal would work!
oh yeah paypal would be dope. its my only option here in germany
Hello! Welcome to the comment section. If you want to get access to hands-on labs, along with many other benefits of BBRE Premium, click here: premium.bugbountyexplained.com/
To get 25% off, use the code AMOUNT100
Dalej ta metoda działa?
Nie spodziewałem się, że jesteś moim krajanem :) Świetna robota!!!
Pozdrawiam!
Btw this doesn’t work. It’s just a scam
But does that actilly work?
If it did, it wouldn't be on YT
how tf do i do this bro
Thanks for the video =)
7500???? 75k would have been meh.
bro traded infinite money for literally nothing💀💀💀
is this working?
Of course it's fixed, otherwise wouldn't be on yt
Ha. Genius. Thanks for sharing
That's why ppl fuck with websites and etc.... 7500$ from steam? Lol
too little money for such a critical vulnerability
just great as always 👌👌👌. So it's basically like abusing an API to manipulate arguments like http content. I am actually trying to discover some bugs with mobile applications. But I am stuck at the point to what tools can analyse most of the protocols other than http interceptors like burp or zap. where can I find such tools and documentations of such tools?? cuz I think that most undiscovered bugs lie in those uncommon communication protocols (for example I know that WhatsApp for example uses a unique protocol created by the WhatsApp team, but don't know how to intercept it)
you can use Wireshark to analyse traffic but I don't think you will be able to intercept it and modify in flight. It will be hard to find a tool ready for custom made protocol.
You can also go the other way. Instead of intercepting the message after it leaves WhatsApp, try to attach to the application and modify messages like that. I'm not an expert when it comes to these things but tools that come to my mind for that would be frida or gdb
@@BugBountyReportsExplained yeah I actually heard once about frida in a conference talk, maybe it is the way to go. as completely reverse engineering a program to manipulate messages is still out of my league 😂. thanks bro and keep up the good work 👌👌
@@ahmadshami5847 thanks mate, good luck with it
Hey.... where do i suggest ideas ?
There is a massive UPNP exploit that every one should know about but it's a bit complicated and not very new
You can suggest here, on Twitter or via an email.
Great bruh
simple yet critical 😅💔
Excellent
Great video. Its always a pleasure watching your videos. Bug hunting requires critical thinking or analysis of events. I'm looking for a mentor in this field. I completed my CEH practical last year but i guise there is a lot a i need to learn from experts
CEH is garbage man
@@bravo-6900I didn't get gud advice b4 i enrolled. Which one do you recommend.
@@peterchari3839 it depends but mostly oscp ,sans but not sure nowdays they seems lookin for projects ,bug report,any website or something to enhance your profile when you lookin for job.
@@peterchari3839 dd
Good bro
nice april fools joke
🔥🔥🔥
pRzElEwY 24 tO dObRy WyBóR!
(lol)
(its polish language)
To nie błąd po ich stronie
@@BugBountyReportsExplained wiem
przepraszam :I
Hi thats perfect
But you know... i couldnt access to paypal beyond adding
funds it tell me (oops Sorry)then couldnt acept my request
This bug was fixed
@@BugBountyReportsExplained so i cant cheat money right?😮💨
send weed
wielki polak
🔥🔥🔥