Posted on November 26, 2020 at 7:22 PM
A serious vulnerability in Xbox Live has been discovered. The vulnerability gives hackers access to get email address used to register Xbox gamer tag.
An anonymous hacker reported last week and claimed to find out the email used in registering anyone’s Xbox Gamertag. Generally, these email addresses linking Gamertags are not classified.
The vulnerability exists in the Xbox Live enforcement portal
To verify the genuineness of the claim, Motherboard cybersecurity researched gave the hacker two Gamertags to tray and find their linked email address. Within a few seconds, the hacker replied with the two email addresses linked to the Gamertags.
Another unidentified hacker confirmed that the vulnerability exists in the Xbox enforcement portal where gamers reach out to Xbox’s online community handlers.
Microsoft didn’t respond swiftly to the threat
Even after Microsoft was alerted about the security threat and its obvious seriousness, Microsoft did not respond immediately to the threat.
When Motherboard sent the tech giant an email regarding the security threat, the response was adjudged not to be sensitive enough. According to Microsoft Response Center (MSRC), since the email “provides nothing else to identify the issuer, is not something that meets MSRC bar for service.”
Microsoft also said it will not look into the threat and will allow the product group to determine how serious it is.
However, on Tuesday Microsoft revealed it has given an update on the security threat to protect users.
According to the anonymous hacker who contacted Motherboard about the vulnerability, it is the easiest bug he has discovered. He further said details about the bug should not be disclosed to the public until a patch or an update is released.
A threat actor with this type of discovery could launch an attack on the victims. They can use the type of bug to launch attacks. For instance, a similar vulnerability on Instagram in 2017 allowed hackers to create a searchable database to dox celebrities.
After Microsoft was contacted last week, the company released an update for the vulnerability, after initially delaying to offer a patch to the bug.
Multiple reports received about the bug
According to Microsoft, the company received different reports about the bug, but the security team has taken appropriate action to release the patch.
According to the hacker who discovered the bug, if Motherboard publishes any information about the bug, threat actors could find it within a few minutes, which will put lots of users at risk, as it’s the easiest vulnerability he has discovered.
According to the hacker, threat actors who have used the opportunity the bug would have provided to iterate Gamertags to get thousands of emails of Xbox players.
The gaming industry has recently been the subject of an increased target for threat actors who are looking to gain access to details of players. Once such details are revealed, the threat actors can use them to launch attacks in the future, as has been recent with the Instagram bug.
One particular form of abuse that has gained more attention in the gaming industry is threat actors using their victims’ details to harass and dox them, which can sometimes have severe consequences.
Apart from the report from the anonymous hacker about the bug, another hacker also knew about it. The second anonymous hacker asked Motherboard whether it’s aware of that “Xbox zero-day”.
The hacker then expatiated, saying he was talking about the method of pulling any mail from any Gamertag, which is possible because of the Xbox Live Enforcement bug.
A security expert who works in the gaming industry described the vulnerability as a “big privacy nightmare,” adding that the whole thing is ironic if their safety and trust portal exposes the user to a cyber attack.
But another cybersecurity researcher Amir Khashayar Mohammadi said the vulnerability didn’t surprise him.
He said the method of stealing emails from rare Gamertags is not new, as some people have been doing that for years. But he wondered why the companies haven’t been able to discover such bugs, even with their sophisticated security tools.