So, devs got lazy and decided an internally facing interface wasn't really in need of any real security. Said interface is steamworks.
I could never find a bug like this. Just sending random AJAX requests? Surely, no one would be that stup... Oh.
I have too much faith in humanity still...