Jump to content

Xbox Subdomain Vulnerability Exposed Users’ Email Addresses

Recommended Posts

  • Administrators

A researcher discovered a serious vulnerability in an Xbox subdomain that exposed email addresses behind Xbox accounts. It only required an adversary to meddle with cookie files to extract this information. Xbox Subdomain Vulnerability Researcher Joseph Harris discovered a serious security flaw risking Xbox users’ privacy. The vulnerability existed in the “enforcement.xbox.com” subdomain – the portal letting Xbox users view and manage the enforcement actions against their profiles. Sharing the details with ZDNet, the researcher elaborated that when an Xbox user signs in to the portal, it creates a cookie file on the users’ browser having details of the web session. While this cookie helps in letting the user in without re-authentication, that’s where the problem existed. Specifically, this cookie file included Xbox user ID (XUID) in unencrypted form. Thus, anyone capable of meddling with the cookie file could change this XUID to retrieve other users’ names as well as the email addresses. The following video demonstrates the Xbox subdomain vulnerability leaking users’ data. Microsoft Deployed A Fix Upon discovering the vulnerability, the researcher reported the matter to Microsoft via their Xbox bug bounty program. Microsoft launched this bug bounty program for Xbox earlier this year. Following this report, Microsoft patched the bug last month simply by encrypting the XUIDs. Since it was a server-side fix, users don’t have to do anything to receive the fix. For them, the site continues to work the same way it did. It’s just that it no more discloses the users’ details. Although, this bug couldn’t allow hacking user accounts or the Xbox network. Nonetheless, it did allow an adversary to link users’ real email addresses with gamer tags and profile them. This could further lead to cyberbullying issues as well. Given the less-severe impact of the bug, it didn’t qualify for a bounty. Nonetheless, Microsoft still agreed to list the researcher’s name on its Hall of Fame.

Attribution link: https://latesthackingnews.com/2020/11/27/xbox-subdomain-vulnerability-exposed-users-email-addresses/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...