The Xbox flaw allows hackers to compromise the user’s real-time identity, If attackers had access to the email address.
XBOX Bug Bounty
Microsoft announced an official bug bounty program for the Xbox gaming platform.
Moreover, for vulnerabilities found it will pay from $500 to $20,000 in the Xbox Live network and services.
Joseph “Doc” Harris, one of the several security researchers who reported the issue to Microsoft this year, shared his findings with ZDNet earlier this week.
Bug in the Xbox website that could have allowed hackers to link usernames to the real email addresses.
Importantly, the security researcher reported that the bug was located on enforcement.xbox.com, the web portal where Xbox users go to view strikes against their Xbox profile.
After users log in, the Xbox Enforcement site creates a cookie file in their browser with details about their web session, so they won’t have to re-authenticate the next time when they visit the site again.
Harris said that this portal’s cookie file included contained an Xbox user ID (XUID) field that was unencrypted.
Secondly, Harris edited the XUID field and replaced it with the XUID of a test account he had created.
“Tried replacing the cookie value and refreshing, and suddenly I was able to see other [users’] emails,” Harris said.
Fix for XBOX Flaw
Microsoft deployed a patch for this bug last month. “The fix was to encrypt the XUID,” Harris told us.
The fix was deployed server-side, and “there are no additional steps that users need to take to stay protected,” a Microsoft spokesperson said in an email on Tuesday.
Although Microsoft did not classify this bug as worthy of a monetary reward, because the bug couldn’t be used to hijack Xbox, it could have allowed threat actors to link any Xbox gamer tag to a gamer’s real email address.
But the company agreed to feature Harris on in its Bug Bounty Hall of Fame as a contributor, regardless.