Xbox Bug That Could Have Leaked Actual User Email IDs Through Gamer Tag Patched by Microsoft: Report
Xbox user ID (XUID) field on the portal was unencrypted
Microsoft has reportedly patched a bug in an Xbox website that could have potentially exposed users’ real email addresses associated to their Xbox gamer tags. This vulnerability was reported to the company through its bug bounty programme and has since been fixed. The findings for the bug that was reportedly found on enforcement.xbox.com were shared with an online publication earlier this week. The report explains that an Xbox user ID (XUID) field was unencrypted on enforcement.xbox.com.
According to a report by ZDNet, the bug in enforcement.xbox.com was spotted by Joseph “Doc” Harris and a team of security researchers. The website, enforcement.xbox.com, allows Xbox users to view strikes against their profile, as well as file appeals if in case they feel the strike is unfair. It was found that after a user logs in to the website, it creates a cookie file with details of the web session in their browser. This cookie file included an unencrypted Xbox user ID (XUID) field.
Harris was able to use standard browser tools to edit the XUID field and replace it with the XUID of a test account he had created for the Xbox bug bounty programme. Once he replaced the value and refreshed the page, emails of other users were visible. Check out the video by Harris detailing the same.
It was noted that other subdomains were not affected by this bug. The report states that Microsoft patched this bug last month and encrypted the XUID. It was a server-side fix and a Microsoft spokesperson told ZDNet that users do not need to do anything. Additionally, while the bug was not covered under the company’s bug bounty programme, it featured Harris as a contributor in its Bug Bounty Hall of Fame. However, there was no monetary reward.
The bug had the potential to leak actual email IDs to hackers which could then be used for malicious purposes. What’s alarming is that no special tool was required to get access to other user’s email ID.