Microsoft has recently patched a bug that allowed hackers to get player’s emails by linking Xbox gamer tags (usernames) inside the official Xbox website. 

By default, all Xbox users must register their gamer tags with an email address, which is left private. But, according to trustworthy sources, the anonymous hacker got into the Motherboard tech publication, announcing it changed it easily access any user’s email.

Do you own an Xbox? Do you play regularly? Then the following info will be helpful to you. 

 

How the Xbox Bug Allowed Hackers to Get Player’s Emails

The functionality of the bug itself isn’t entirely clear yet, but the main point here is how hackers could extract a good chunk of user’s personal information through the Xbox Live portal. 

Here’s where both the Xbox Policy and Enforcement team manages the live community, protecting their privacy. 

The Microsoft Security Response Center initially dismissed the bug as a non-serious risk.

This division (MSRC) was formed to protect customers from vulnerabilities in the company’s products and software. 

But they told Motherboard that the bug was left fixing to the Xbox Live product team.

Funny enough, the same anonymous hacker claimed on Vice’s publication that this was “the easiest vulnerability [they’d] ever found.” 

It was made clear that if the bug doesn’t get patched, then it will keep allowing more hackers to rapidly find any data they want from Xbox Live players. This rapidly turns into a privacy issue when thousands are targeted for doxing and/or harassment. 

Common forms of abuse in the gaming community which sometimes has fatal consequences.  

Joseph “Doc” Harris shared his findings a few weeks ago. He encountered the bug inside enforcement.xbox.com. Inside this portal, users can see strikes against their or other’s Xbox profiles, with the chance of appealing files (if they were unfairly banned out of the network).

He explains that the site creates a cookie file in the browser with web session details, right after a user logs into. That way, they don’t have to re. authenticate on their next visit. 

This cookie file contained an unencrypted Xbox user ID (XUID) field, which was possible to be edited and replaced with the right tools (that are included in all popular browsers).

Harris edited the XUID field himself of a dummy account used for testing, as part of an Xbox bug bounty program. He “tried replacing the cookie value and refreshing, and suddenly I was able to see other [users’] emails.” 

The bug can be seen on the embedded video, below.

But fortunately for the whole Xbox community, Microsoft already deployed the patch, last month. According to Harris, encrypting the XUID was the right way to fix it. 

He also said that other Xbox subdomains don’t suffer from the same issue.

Then, a Microsoft spokesperson said in an email this Tuesday: “The fix was deployed server-side, and “there are no additional steps that users need to take to stay protected.”

While this one bug wasn’t covered by the Xbox bug bounty program, the company still agreed to highlight Harris on their Hall of Fame as a contributor. 

That’s what a security analyst that work on trials bug reports for the Security Response Center, said

Now, here’s something that seems quite “off.”

Microsoft didn’t classify the bug as worthy of monetary reward (because it wasn’t capable of hijacking Xbox) but still, allowed hackers to get player’s emails.

And as it was mentioned before, email accounts linking to real-world identities lead to accessible harassment. It’s possible to draw connections between online profiles, from the slightest personal information, with a plethora of tools available online. 

The fact that most gamers use the same address of most accounts helps hackers.

A security expert that works in the gaming industry agreed by saying:  “That’s a big privacy nightmare. That’s some irony right there if their trust and safety portal is leaking personal information.” 

On the other hand, Amir Khashayar Mohammadi said that he wasn’t surprised about the bug. 

Are you surprised? Please, let me know in the comments!

I truly hope that nothing bad has happened to you because of it – or due to any other third-company breach.

If something happened to your own company, then it’s time to fix it (Now).