Microsoft recently fixed a vulnerability on the Xbox website that allowed cybercriminals to gain access to users’ email from their gamertags (usernames). The vulnerability was reported by Joseph “Doc” Harris, a company security researcher.
In commenting on the vulnerability, Harris said the bug was found on the ‘enforcement.xbox.com’ website, used by Xbox console users to understand if there was an account attack and to appeal in cases of unfair punishments by the company.
After logging into the site, the address creates a cookie file in the browser with details about the session. This is done so that it is not necessary to re-enter credentials when new access is made.
Harris states that this file has a field for the Xbox User ID (XUID). However, this information was not encrypted. Because of this, using the option of accessing the browser’s cookies, the researcher was able to access the code and replaced the identification with one from a test account he uses.
When exchanging information, the website is updated and the email associated with the new ID displayed. “I tried to replace the cookie value and update, and suddenly I was able to see other users’ emails,” says Harris in an interview with ZDNet.
Vulnerability allowed hackers to access email associated with Xbox Live accounts. Photo: Gorodenkoff / Shutterstock
To resolve the issue, Microsoft has released a patch. “The solution was to encrypt the XUID,” said Harris. However, despite having fixed the problem, Microsoft did not exactly regard it as a failure.
Therefore, Harris did not receive the report, despite having used Microsoft’s specific rewards channel to warn of the issue. According to a security analyst who works for the company’s Security Response Center, which tests the reports made, the bug would not be covered by the program, because, despite being a flaw, it could not be exploited to invade the Xbox, for example.
Even so, this raises a very important issue from a security point of view. Although it was not considered a major flaw by Microsoft, many people use the same email on more than one service. Having that address in the hands of a malicious person can be potentially dangerous.