Vulnerability on Xbox website allowed users to be linked to their email addresses

Vulnerability on the Xbox website
Written by Emma Davis

The recently launched bug bounty for Xbox is already bearing fruit. Several information security specialists immediately notified Microsoft about a vulnerability on the Xbox website, which allowed to associate player tags (usernames) with real email addresses.

One of the specialists who found the problem was Joseph Harris, and now he has told the details of the bug to the journalists of the ZDNet media resource. The bug was related to the enforcement.xbox.com portal, which Xbox users turn to when they need to check strikes associated with their profile, as well as to appeal for unfair punishment.

When a user logs into Xbox Enforcement, the site creates a cookie in the browser with detailed information about the web session, so the next time they visit the site, they don’t have to re-authenticate.

Harris explains that the portal cookie contains an Xbox User ID (XUID) field that is unencrypted. Using developer tools available in any modern browser, Harris was able to edit the XUID field and replace the ID with the XUID of a test account he created specifically for the bug bounty of the Xbox program.

While trying to change the value of a cookie, I suddenly realized that I could see the email addresses of other [users].Harris says.

Currently, Microsoft developers have already fixed this bug by encrypting the XUID value on the server side. At the same time, Microsoft Security Response Center specialists, who are studying the bug reports, told the publication that this vulnerability does not fall under the bug bounty program of the Xbox, but Harris was still included in the company’s hall of glory as one of the co-authors of the problem.

Also Harris shared a video about the bug:

While Microsoft didn’t recognize this mistake as worthy of monetary rewards – and indeed it cannot be used to hack the Xbox platform, it could still allow attackers to associate any Xbox player’s nickname with their real email address.

Matching email accounts with real players’ real identities has already led to numerous harassment cases using the many OpSec tools available online. These are tools that can link different online profiles with even the smallest piece of personal information.

Let me remind you that the recently discovered bug in Facebook Messenger for Android allowed connecting to user conversations.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply

Sending