A vulnerability was recently discovered by a hacker in the Xbox Live which allowed the hacker to easily find out the email address used to register any Xbox Gamertag.
Every Xbox user must use an email address to register a gamer tag and those addresses are made private by default.
Two weeks ago, an anonymous hacker reached out to Motherboard claiming to be able to discover the email behind anybody’s Xbox Gamertag. By default email addresses linked to Gamertags are private.
The motherboard was able to verify the existence of the vulnerability by providing the hacker with two Gamertags, including one created just a few minutes earlier for testing purposes. The hacker sent back the email address used to register the two accounts within seconds.
Meanwhile, a different hacker revealed that this bug is found in the Xbox Live enforcement portal, a page that allows Xbox users to contact Microsoft directly.
How exactly the bug works was not made clear, though hackers could allegedly acquire access to a user’s personal information through the Xbox Live enforcement portal, wherein the Xbox Policy and Enforcement team manages the live community and protects the privacy of Xbox Live users.
The anonymous hacker who reached out to Vice reportedly told the publication that this was “the easiest vulnerability [they’d] ever found,” stating that if not patched the bug would allow hackers to easily find the contact information of any Xbox player.
A privacy issue such as this could have jeopardized the safety of thousands of Xbox users, leading to possible doxing, harassment and/or abuse.
When Motherboard first reached out to comment, Microsoft seemingly downplayed the problem as “something that does not meet the Microsoft Security Response Center bar for service.”
“An email may be considered sensitive information, however, since it provides nothing else to identify the issuer, is not something that meets MSRC bar for service. As such, MSRC is not tracking the issue and will leave it to the product group to determine mitigation as needed.”
However, after the initial response, Microsoft relayed word that an update had been pushed to nip the issue in the bud. Fortunately for Xbox users and Microsoft, the hackers who revealed the bug to Motherboard ensured it wasn’t made public before a fix was issued. While email addresses being leaked isn’t the big security breach, it can lead to larger problems like doxing.
Despite the initial lack of concern, the issue has since been patched as of Nov. 25, 2020. Moreover, it did expose a larger issue with how vulnerable many of these services are.
As a matter of fact, Microsoft always made sure that their customers know that security is of utmost importance to the company. Hence, Earlier this year, Microsoft announced its Xbox Bounty Program and confidently stated they will begin paying players to hack their Xbox One systems.