Microsoft has confirmed a fix for a bug on the Xbox website that allowed attackers to connect Xbox gamer tags to the real name and address of the account holder. This bug was discovered during a recent Xbox bug bounty program hunt.
Security researchers reported the issue, including Doc Harris, who discussed the problem with ZDNet. He says the flaw is found on enforcement.xbox.com. This is where users can see issues with their profile, such as strikes.
When users were logging in, it was possible for a threat actor to replace the XUID field with a test account XUID. This allowed the possibility of creating fake login forms.
“Tried replacing the cookie value and refreshing, and suddenly I was able to see other [users’] emails,” Harris told ZDNet.
Microsoft says a patch has already been sent out last month to encrypt the normal XUID.
The company’s new Xbox Bug Bounty Program has been live since January this year.
“The Xbox bounty program invites gamers, security researchers, and technologists around the world to help identify security vulnerabilities in the Xbox network and services, and share them with the Microsoft Xbox team through Coordinated Vulnerability Disclosure (CVD). Eligible submissions with a clear and concise proof of concept (POC) are eligible for awards up to US$20,000.”
Regarding the Xbox.com flaw, Microsoft did not pay a monetary reward. The company says bounties are only given for flaws that can directly impact and compromise the Xbox platform. In other words, security holes that could allow threat actors to access Xbox consoles like the new Xbox Series X.