Microsoft Fixes Xbox Website Bug That Would've Compromised Users' Email Address

Microsoft has patched an Xbox website bug that would have given cyber attackers the access to users’ email address used to register any Xbox Gamertag (username). According to ZDNet, the vulnerability was reported to Microsoft through its recently launched Xbox bug bounty programme. As per the researchers, the bug was found to be existing in the Xbox Enforcement web portal that provides information on policies that govern the Xbox service. The report explains that if attackers had access to the email address, users’ real-world identity would’ve been compromised, therefore increasing chances of cyber harassment, phishing attempts and many more risks.

According to one of the researchers Joseph ‘Doc’ Harris who shared the findings with the publication, said that the Xbox Enforcement site creates a cookie file in users’ browser with details about web sessions and more. This cookie essentially lets users to re-enter the website without needing to re-authenticating during each fresh session. However, the portal’s cookie file that also includes the Xbox user ID (Gamertag) was said to be unencrypted and potentially was at the risk of hacking. The bug is somewhat similar to a zero-day bug that is often unknown to attackers, and are just out in the wild without anyone’s knowledge.

Harris explained that he, along with researchers, used modern browser tools to check the flaw on Microsoft Xbox Enforcement portal. He further showcased the findings in a video, available on YouTube. The report notes that Microsoft deployed a server-side fix after the researchers notified about the existing flaw. Although Microsoft is yet to publicly address the issue, the company in a response to ZDNet has acknowledged the bug.

A security analyst working for Microsoft’s Security Response Center, which trials bug reports, said the bug wasn’t covered by the Xbox bug bounty program, but the company agreed to feature Harris on in its Bug Bounty Hall of Fame as a contributor, regardless.

Read all the Latest News, Breaking News and Coronavirus News here