Xbox Bug Allows Hackers to Link ‘Gamer Tags’ with Player’s Emails
Microsoft has recently patched a bug in the Xbox website that could have allowed hackers to link Xbox ‘gamer tags’ (usernames) to users’ real email addresses. Reported to Microsoft through their recently launches Xbox bug bounty program, the bug was located on enforcement.xbox.com, the web portal used by users to view ‘strikes’ against their Xbox profile and file appeals if they feel they have been unfairly reprimanded for their behavior on the Xbox network.
After users log in to this website, the Xbox Enforcement site creates a cookie file in their browser with details about their web session, so they won’t have to re-authenticate the next time they visit the site again. This cookie file contained an Xbox user ID (XUID) field that was left unencrypted. Using developer tools included with all modern browsers, a threat actor can edit the XUID field and replace the value with another user’s XUID, refresh the browser and then be presented with that user’s email address.
The patch released by Microsoft late last month addressed this issue by simply encrypting the XUID. This fix was deployed server-side and requires no extra steps on the part of the user. According to researchers, this bug only affected this Xbox sub-domain (enforcement.xbox.com) and no other sub-domains were affected.
While the discovering of a user’s email linked to their ‘gamer tag’ may seem trivial, the linking of email accounts to gamers’ real-world identities has led to many instances of harassment, both online and in person.
Sources: