An Xbox bug could have let hackers link gamer tags with the players’ emails
This particular Xbox bug could have been exploited by playing around a browser’s developers console and editing a cookie field.
Microsoft has patched a bug in the Xbox website that could have allowed hackers to link Xbox gamer tags (usernames) with the users’ email addresses. The vulnerability was reported to Microsoft through their Xbox bug bounty program.
One of the security researchers, Joseph “Doc” Harris, who reported the issue to Microsoft, shared his findings with ZDNet. Harris said that the bug was located on enforcement.xbox.com, the web portal where Xbox users “go to view strikes against their Xbox profile” and also file appeals if they feel “they have been unfairly reprimanded for their behaviour on the Xbox network”.
Once users log into this website, the Xbox Enforcement site creates a cookie file in their browser with details about the web session. This is done for easier log in the next time and users do not have to re-authenticate details when they log in again.
Harris told ZDNet that Xbox Enforcement’s cookie file included an Xbox user ID (XUID) field that was unencrypted. This XUID field could easily be edited and replaced with the XUID of a test account as Harris demonstrated with tools that come on all modern browsers. This test account was one that Harris had created for the Xbox bug bounty program.
"Tried replacing the cookie value and refreshing, and suddenly I was able to see other (users’) emails," Harris told ZDNet in an interview. He also shared a video of the bug:
Microsoft fixed this bug by encrypting the XUID.
A Microsoft spokesperson said in an email that the fix was deployed on the server-side and added that there are no other steps that users need to take themselves to be protected.
Harris has pointed out that no other Xbox subdomain suffers from the same bug.
According to reports, a security analyst working for Microsoft's Security Response Center said the bug wasn't covered by the Xbox bug bounty program, but Microsoft agreed to feature Harris on their Bug Bounty Hall of Fame as a contributor.
Microsoft did not classify this bug as “worthy of a monetary reward because the bug couldn't be used to hijack Xbox”, the bug could have allowed hackers to link any Xbox gamer tag to a gamer's real email address.
Linking email accounts to gamers' real-world identities has led to instances of harassment. The fact that most gamers use the same email address for most of their online accounts also helps hackers a lot as is seen in this tweet -