Microsoft corrected a bug on the Xbox website, and the error could have allowed hackers to link the user names of Xbox players to users’ real email addresses.
Microsoft had been informed of the error through the newly launched Xbox Vulnerability Reward Program.
Joseph Harris – one of several security researchers who reported the problem to Microsoft this year – posted his findings on the tech site ZDNet earlier this week.
The security researcher said: The vulnerability was found in the link enforcement.xbox.com, which is a web portal where (Xbox) users can view the alerts that have been directed at them against their personal files, and file an appeal if they find that they do not deserve the warning because of their behavior in the (X) network. Books.
After users log in to this website, the Xbox Enforcement website creates a cookie in their web browser with details of their web session; Lest they need to re-authenticate the entry when they visit the site at later times.
Harris said: The site cookie includes the personal identifier (XUID) for users, called XUID, in an unencrypted form. Using simple tools, including even modern web browsers, Harris was able to tweak the XUID field and replace it with another name.
“I tried to replace the value of the cookie, and by updating, I suddenly found myself able to see the other email addresses of the user,” Harris said in an interview with ZDNet. Microsoft released a fix for this bug last month. Harris said: The fix was for XUID encryption.
A Microsoft spokesperson told ZDNet: The fix was posted only from the server side, which means that the user does not have to take any additional steps to stay safe.
Harris said: The other domains of the (Xbox) platform do not suffer from the same problem.
A security analyst at Microsoft’s Security Response Center, which tests bug reports, said the bug finder didn’t get a reward, but the company agreed to feature Harris in the so-called Bug Bounty Hall of Fame as a shareholder.