INTRO: A serious vulnerability in Xbox Live reportedly allowed hackers to ascertain the e-mail ID of anybody who used the service. That’s according to multiple cyber-security researchers who claimed to have discovered the loophole and reported it to Microsoft. The vulnerability has since been patched server-side, and Microsoft has issued a statement saying that users don’t have to do anything on their part to mitigate the problem.
One of the researchers who reported the matter to Microsoft is Joseph ‘Doc’ Harris, who told ZDNet that the bug was located on the ‘enforcement.xbox.com’ domain, which enables Xbox users to view strikes against their Xbox profile and file appeals if they feel they need been unfairly reprimanded.
According to Harris, the portal’s cookies contained an Xbox user ID (XUID) field that was unencrypted, enabling hackers to see other users’ e-mails by just replacing the XUID cookie value with the XUID of a test account he had created for testing purposes as a part of the Xbox bug bounty program. “Tried replacing the cookie value and refreshing, and suddenly i used to be ready to see other (users’) emails”, he apparently told the blog in an interview earlier in the week .
As mentioned already, Microsoft has unrolled a patch encrypting the XUID. In a politician statement, the corporate said it’s “released an update to assist protect customers”. The bug, however, wasn’t covered by the Xbox bug bounty program, which means Harris didn’t reap any financial reward for his research, although, Microsoft has agreed to feature him on its Bug Bounty Hall of Fame as a contributor