• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Bug Allowed Hackers to Get Anyone’s Email Address on Xbox Live

IbizaPocholo

NeoGAFs Kent Brockman

A serious flaw in Xbox Live allowed hackers to easily find out the email address used to register any Xbox gamertag.

Last week, an anonymous hacker reached out to Motherboard claiming to be able to discover the email behind anybody's Xbox gamertag. By default email addresses linked to gamertags are private. Motherboard was able to verify the existence of the vulnerability by providing the hacker with two gamertags, including one created just a few minutes earlier for testing purposes. The hacker sent back the email address used to register the two accounts within seconds.

A second anonymous hacker said that the bug was in the Xbox Live enforcement portal, where gamers can contact the company's team that polices the Xbox online community.


After Motherboard contacted Microsoft last week, the company patched the bug. Initially, the Microsoft Security Response Center, or MSRC, a part of the company that protects customers from being harmed by security vulnerabilities in Microsoft's products and software, didn't consider the bug to be a serious security risk.


"We received multiple reports regarding this and have informed the appropriate team about the issue and will let them address this as needed," the MSRC said in an email on Monday, responding to Motherboard's bug report. "An email may be considered sensitive information, however, since it provides nothing else to identify the issuer, is not something that meets MSRC bar for service. As such, MSRC is not tracking the issue and will leave it to the product group to determine a mitigation as needed."
On Tuesday, a Microsoft spokesperson confirmed that the company “released an update to help protect customers.”

The hacker who alerted Motherboard of the bug asked us to publish this story only after a fix.

"If you publish the article before it's patched it will get found within 2-3 minutes. It's the easiest vulnerability I've ever found,” the hacker told Motherboard in an online chat.

The hacker explained that it would have been possible to abuse the bug and iterate gamertags to find out the email addresses of hundreds, if not thousands of Xbox players. In 2017, hackers took advantage of a similar bug in Instagram and even created a searchable database to dox Instagram celebrities. The bug could have been used to harass and dox anyone with a gamertag, a common form of abuse in the gaming community which sometimes has fatal consequences.

The anonymous hacker who initially told us about the bug isn't the only one who knew about it. Earlier this week, another anonymous hacker reached out and asked me if I was aware of "that Xbox zero-day," using the technical term for unknown vulnerability. The hacker then told me that he was referring to a technique to "pull any email from any gamertag," which relied on a bug within the Xbox Live Enforcement website, which is where users can report other gamers who use offensive language, post offensive videos, cheat, or harass other gamers.

"That's a big privacy nightmare," said a security expert who works in the gaming industry, and asked to remain anonymous because they were not authorized to speak to the press. "That's some irony right there, if their trust and safety portal is leaking personal information."

Amir Khashayar Mohammadi, a cybersecurity researcher, said that he wasn't surprised about the bug.

"I know a bunch of people who’ve been snatching some OG tags for years now," he said, referring to the concept of rare, valuable gamertags. "Wonder how long the method has worked for."
 
Last edited:

GloveSlap

Member
Can people still DDOS you if you join their party chat? I get spammed with chat invites after wrecking people sometimes and i'm never sure if they are trying to do that, or just cry/say i was cheating/challenge me to a 1v1.
 

MrFunSocks

Banned
Can people still DDOS you if you join their party chat? I get spammed with chat invites after wrecking people sometimes and i'm never sure if they are trying to do that, or just cry/say i was cheating/challenge me to a 1v1.
Yes but that’s got nothing to do with emails, that’s just your IP address. If a random invites you after you kill them or beat them that’s likely what they’re going to do.

If you want to have a bit of fun though just join the party on the Xbox app on your mobile phone, not on wifi. They’ll get very frustrated when you don’t get disconnected from their party haha.
 

GloveSlap

Member
Yes but that’s got nothing to do with emails, that’s just your IP address. If a random invites you after you kill them or beat them that’s likely what they’re going to do.

If you want to have a bit of fun though just join the party on the Xbox app on your mobile phone, not on wifi. They’ll get very frustrated when you don’t get disconnected from their party haha.
Yeah, i knew it was them seeing your IP I just wasn't sure if they ever fixed that (or if they even can) . Thanks for the app tip, maybe i'll try it.

I used to get a bunch of angry Halo messages back in the day challenging me to a 1v1. I would tell them to set it up and just never go.
 
Top Bottom