Microsoft has patched a bug in the Xbox website that could have allowed threat actors to link Xbox gamer tags (usernames) to users’ real email addresses.
The vulnerability was reported to Microsoft through the company’s recently launched Xbox bug bounty program.
Joseph “Doc” Harris, one of the several security researchers who reported the issue to Microsoft this year, shared his findings with ZDNet earlier this week.
The security researcher said the bug was located on enforcement.xbox.com, the web portal where Xbox users go to view strikes against their Xbox profile and file appeals if they feel they have been unfairly reprimanded for their behavior on the Xbox network.
After users log in to this website, the Xbox Enforcement site creates a cookie file in their browser with details about their web session, so they won’t have to re-authenticate the next time they visit the site again.
Harris said that this portal’s cookie file included contained an Xbox user ID (XUID) field that was unencrypted.
Using tools included with all modern browsers, Harris edited the XUID field and replaced it with the XUID of a test account he had created and had used for testing as part of the Xbox bug bounty program.
“Tried replacing the cookie value and refreshing, and suddenly I was able to see other [users’] emails,” Harris told ZDNet in an interview this week.
Harris also shared a video of the bug, embedded below:
Microsoft deployed a patch for this bug last month. “The fix was to encrypt the XUID,” Harris told us.
The fix was deployed server-side, and “there are no additional steps that users need to take to stay protected,” a Microsoft spokesperson said in an email on Tuesday.
Harris said that other Xbox subdomains don’t suffer from the same issue.
A security analyst working for Microsoft’s Security Response Center, which trials bug reports, said the bug wasn’t covered by the Xbox bug bounty program, but the company agreed to feature Harris on in its Bug Bounty Hall of Fame as a contributor, regardless.
Although Microsoft did not classify this bug as worthy of a monetary reward because the bug couldn’t be used to hijack Xbox, the bug could have allowed threat actors to link any Xbox gamer tag to a gamer’s real email address.
Linking email accounts to gamers’ real-world identities has led to many instances of harassment and is trivial these days with the help of the plethora of OpSec tools available online that can draw connections between different online profiles even from the smallest piece of personal information.
The fact that most gamers use the same email address for most of their online accounts also helps a lot. See evidence #1 below: