- Aug 3, 2004
Xbox bug could have allowed hackers to link gamer tags with players' emails
Microsoft has patched a bug in the Xbox website that could have allowed threat actors to link Xbox gamer tags (usernames) to users' real email addresses.
While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.
The vulnerability was reported to Microsoft through the company's recently launched Xbox bug bounty program.
Joseph "Doc" Harris, one of the several security researchers who reported the issue to Microsoft this year, shared his findings with ZDNet earlier this week.
The security researcher said the bug was located on enforcement.xbox.com, the web portal where Xbox users go to view strikes against their Xbox profile and file appeals if they feel they have been unfairly reprimanded for their behavior on the Xbox network.
After users log in to this website, the Xbox Enforcement site creates a cookie file in their browser with details about their web session, so they won't have to re-authenticate the next time they visit the site again.
Harris said that this portal's cookie file included contained an Xbox user ID (XUID) field that was unencrypted.
Using tools included with all modern browsers, Harris edited the XUID field and replaced it with the XUID of a test account he had created and had used for testing as part of the Xbox bug bounty program.
"Tried replacing the cookie value and refreshing, and suddenly I was able to see other [users'] emails," Harris told ZDNet in an interview this week.
Harris also shared a video of the bug, embedded below: