XBox Live and GamerTags are at Risk –

Xbox Live:

A multiplayer network for both the Xbox and Windows 10 devices. Xbox Live Gold is a subscription service which allows Xbox consoles to play on the dedicated multiplayer servers for the various games. Xbox Live Silver is the status which is for Microsoft account what is connected to Xbox Live and has created an Xbox live profile. It also has features of sending instant messages, players’ games and also their progress. Besides you may use internet applications like Netflix or YouTube.

Xbox Gamertags:

It’s basically a tool to lookup easily anyone’s profile. Also to see any Xbox Live gamer profile for both Xbox 360 and Xbox one including recent games or achievements as well as games score of those previous games, motto, avatar etc.

Xbox live has fixed a sudden vulnerability which was really serious that could have let hackers to access the user’s email address behind any Xbox gamertag very easily. As all the email addresses linked to gamertag are private by default, it was unbelievable to accept the news.

According to the article of Vice, an anonymous hacker who reached out to the Motherboard and was claiming to be able to get access to email behind any user’s Xbox gamertag. After that, Motherboard verified the presence of the vulnerability which was provided to the hacker with two gamertags, and among them, one was created just before a while for testing purposes. So, the hacker sent the email address back used to register the two accounts within a few seconds.

Another anonymous hacker told that the bug was found in the Xbox Live Enforcement Portal, where the gamers may
contact the support team that polices community of Xbox online.

MSRC said afterwards as a response to Motherboard’s bug report, “We received multiple reports regarding this and
have informed the appropriate team regarding this issue and will let them address this as needed.” Also added that, “An email may be considered sensitive information, however, since it provides nothing else to identify the issuer, is not something that meets MSRC bar for service. As such, MSRC is not tracking the issue and will leave it to the product group to determine a mitigation as needed.” A person who had spoken to Microsoft confirmed that the company has released an update to help protect customers after the incident.

The hacker who informed Motherboard of the bug in the first turn, asked to publish this story only after the problem is fixed. He also said to Motherboard in an online chat, “If you publish the article before it’s patched it will get found within 2-3 minutes. It’s the easiest vulnerability I’ve ever found.” He explained that it could be possible to abuse the bug and iterate the gamertags to look out the email addresses of hundreds, if there is not thousands of Xbox players.

In the year of 2017, the hackers had experienced the advantages of a similar bug in Instagram as well and they had created a database which for mainly for searching in order to dox the celebrities there.

And the similar bug have been used to harass and dox any user with a gamertag which is a very common form of abuse in the gaming community and it has also some fatal consequences. The anonymous hacker who told about this bug initially, he was not the only person who knew about this bug. Earlier this week, another anonymous hacker reached out and asked using the technical term for unknown vulnerability that “Xbox zero-day” is known or not. Besides, he was referring to a hacking technique which is to “pull any email from any gamertag,” which was relied on a bug which was in the Xbox Live Enforcement website where users can report about other gamers who use offensive language or post offensive videos, cheat, or disturb other gamer.

“That’s a big privacy nightmare,” told by a security expert who works in the gaming industry, and he was asked to remain anonymous as because they were not permitted to talk to the press. He also added that, “That’s some irony right there, if their trust and safety portal is leaking personal information.”

A cybersecurity researcher, Amir Khashayar Mohammadi said that he wasn’t really surprised after hearing about the bug. He was referring to the concept of very rare valuable gamertags that, “I know a bunch of people who’ve been snatching some OG tags for years now, Wonder how long the method has worked for.”

Xbox is from Microsoft so if we ever feel stuck or hacked somehow in there, they would obviously help us to get our account back and would protect our account no matter what from being compromised all over again in the future.

It’s always normal to panic when our account is hacked and we get any kind of mail related to that. In order to fix this issue, we should directly contact Microsoft team immediately after.

To do so:
Sign into your Microsoft account,
Go to security section
It’s best to use a strong password what you never used anywhere else

*** If you are unable to log into your own account that means either you have forgotten your password or your
password may have been changed already. So, what you will need to do is RESET or RECOVER your lost Microsoft account’s password.

To recover:

Step 1: Try to sign into your account

Step 2: Check your account’s activity

Step 3: Recheck and verify your account information

Step 4: Cross check your transaction history

Step 5: Make your account more secure by reporting any suspicious activity to Xbos Live Policy Enforcement or
call at support directly.

** When you cannot log in –

Select NO

Selecting ‘NO’ takes you to another page where you’re instructed to change your password on the “Why can’t I sign in?” screen.

You will receive a code to your registered phone number or email address where you will receive an account recovery form.

You’ll have to answer all the security questions asked in the form and previous login info.

***If you are able to log in in the first turn and select YES but you’d notice that Microsoft has already locked your account detecting the unusual activities.

In this case, you’ll definitely get security code to your registered email and phone number that you mentioned earlier while opening your account.

After verifying your account by you, your account will be unlocked by Microsoft Team with notifications and now you may change the password into a strong one.

If it doesn’t work for you as some transactions are made from your account already, you’ll need to contact Microsoft directly through Xbox Support.

Author: Karishma Farhina
Cyber Security Intern-Network Security
Securium Solutions Private Limited

Table of Contents

Social Media