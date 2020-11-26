The Xbox bug could have allowed hackers to link gamer tags to user emails.

Microsoft has fixed a bug on the Xbox website that could have allowed threat actors to link Xbox gamer tags (usernames) to users’ actual email addresses.

The vulnerability was reported to Microsoft through the company’s recently launched Xbox bug bounty program.

Joseph “Doc” Harris, one of several security researchers who reported the problem to Microsoft this year, shared his findings with ZDNet earlier this week.

The security researcher said the bug was traced to enforcement.xbox.com, the web portal that Xbox users go to to view strikes against their Xbox profile and file appeals if they feel they have been unfairly reprimanded for their behavior on the Xbox network.

Once users log into this website, the Xbox app site creates a cookie file in their browser with details about their web session, so they will not have to re-authenticate the next time they visit the site again. .

Harris said that the included cookie file for this portal contained an Xbox User ID (XUID) field that was not encrypted.

Using the tools included in all modern browsers, Harris edited the XUID field and replaced it with the XUID of a test account that he had created and used for testing as part of the Xbox bug bounty program.

“I tried to override the cookie value and update, and suddenly I could see the emails of other [users],” Harris told ZDNet in an interview this week.

Microsoft removes Xbox error

Microsoft rolled out a patch for this bug last month. “The solution was to encrypt the XUID,” Harris told us.

The solution was deployed server-side and “there are no additional steps users need to take to stay protected,” a Microsoft spokesperson said in an email Tuesday.

Harris said other Xbox subdomains don’t suffer from the same problem.

A security analyst working for Microsoft’s Security Response Center, which tests bug reports, said that the bug was not covered by Xbox’s bounty program, but the company agreed to include Harris in its Showroom. Fame for Bug Rewards as a contributor, regardless.

Although Microsoft didn’t classify this bug as worthy of a monetary reward because the bug couldn’t be used to hijack Xbox, the bug could have allowed threat actors to link any Xbox gamer tag to a gamer’s actual email address. .

Linking email accounts with players’ real world identities has led to many cases of harassment and is trivial these days with the help of the myriad of OpSec tools available online that can make connections between different profiles. online, even from the smallest personal information.



