A serious vulnerability in Xbox Live reportedly allowed hackers to see the e-mail ID of anybody who used the service. That’s according to multiple cyber-security researchers who claimed to have discovered the loophole and reported it to Microsoft. The vulnerability has since been patched server-side, and Microsoft has issued a statement saying that users don’t have to do anything on their part to mitigate the problem.
One of the researchers who reported the problem to Microsoft is Joseph ‘Doc’ Harris, who told ZDNet that the bug was located on the ‘enforcement.xbox.com’ domain, which enables Xbox users to view strikes against their Xbox profile and file appeals if they feel they have been unfairly reprimanded.
According to Harris, the portal’s cookies contained an Xbox user ID (XUID) field that was unencrypted, enabling hackers to see other users’ e-mails by just replacing the XUID cookie value with the XUID of a test account he had created for testing purposes as part of the Xbox bug bounty program. “Tried replacing the cookie value and refreshing, and suddenly I was able to see other (users’) emails”, he apparently told the blog in an interview earlier this week.
As mentioned already, Microsoft has rolled out a patch encrypting the XUID. In an official statement, the company said it has “released an update to help protect customers”. The bug, however, wasn’t covered by the Xbox bug bounty program, which means Harris didn’t reap any financial reward for his research, although, Microsoft has agreed to feature him on its Bug Bounty Hall of Fame as a contributor.