• Home
  • Games
  • Games News
  • Xbox Bug That Could Have Leaked Actual User Email IDs Through Gamer Tag Patched by Microsoft: Report

Xbox Bug That Could Have Leaked Actual User Email IDs Through Gamer Tag Patched by Microsoft: Report

Microsoft patched a bug that was found on its enforcement.xbox.com portal where Xbox user can file complaints.

Share on Facebook Tweet Snapchat Share Reddit Comment
Xbox Bug That Could Have Leaked Actual User Email IDs Through Gamer Tag Patched by Microsoft: Report

Xbox user ID (XUID) field on the portal was unencrypted

Highlights
  • Microsoft patched a bug that could leak user email IDs
  • The bug was found on enforcement.xbox.com
  • Hackers could potentially use Xbox gamer tags to find actual email IDs

Microsoft has reportedly patched a bug in an Xbox website that could have potentially exposed users' real email addresses associated to their Xbox gamer tags. This vulnerability was reported to the company through its bug bounty programme and has since been fixed. The findings for the bug that was reportedly found on enforcement.xbox.com were shared with an online publication earlier this week. The report explains that an Xbox user ID (XUID) field was unencrypted on enforcement.xbox.com.

According to a report by ZDNet, the bug in enforcement.xbox.com was spotted by Joseph "Doc" Harris and a team of security researchers. The website, enforcement.xbox.com, allows Xbox users to view strikes against their profile, as well as file appeals if in case they feel the strike is unfair. It was found that after a user logs in to the website, it creates a cookie file with details of the web session in their browser. This cookie file included an unencrypted Xbox user ID (XUID) field.

Harris was able to use standard browser tools to edit the XUID field and replace it with the XUID of a test account he had created for the Xbox bug bounty programme. Once he replaced the value and refreshed the page, emails of other users were visible. Check out the video by Harris detailing the same.

It was noted that other subdomains were not affected by this bug. The report states that Microsoft patched this bug last month and encrypted the XUID. It was a server-side fix and a Microsoft spokesperson told ZDNet that users do not need to do anything. Additionally, while the bug was not covered under the company's bug bounty programme, it featured Harris as a contributor in its Bug Bounty Hall of Fame. However, there was no monetary reward.

The bug had the potential to leak actual email IDs to hackers which could then be used for malicious purposes. What's alarming is that no special tool was required to get access to other user's email ID.


Which is the best TV under Rs. 25,000? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.

 

Affiliate links may be automatically generated - see our ethics statement for details.
Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Further reading: Microsoft, Xbox, Xbox Gamer Tag
Vineet Washington Vineet Washington writes about gaming, smartphones, audio devices, and new technologies for Gadgets 360, out of Delhi. Vineet is a Senior Sub-editor for Gadgets 360, and has frequently written about gaming on all platforms and new developments in the world of smartphones. In his free time, Vineet likes to play video games, make clay models, play the guitar, watch sketch-comedy, and anime. Vineet is available on vineetw@ndtv.com, so please send in your leads and tips. More
Realme Phone With Model Number RMX3063 Spotted on FCC Certification Site, 5,000mAh Battery Tipped
Apple Patent Application Shows It Could Bring Force Touch to MacBook Pro’s Touch Bar

Related Stories

 
 

Advertisement

Advertisement

© Copyright Red Pixels Ventures Limited 2021. All rights reserved.
Listen to the latest songs, only on JioSaavn.com