According to reports, Microsoft has fixed a bug in the Xbox website that could expose users’ real email addresses associated with their Xbox game player tags. This vulnerability has been reported to the company through its bug bounty program and has been fixed. According to reports, earlier this week, a false discovery found on execution.xbox.com was shared with online publications. The report explains that the Xbox User ID (XUID) field on enforcement.xbox.com is not encrypted.
According to the ZDNet report, the error in Implementation.xbox.com was discovered by Joseph “Doc” Harris and a team of security researchers. The Xbox website (enforcement.xbox.com) allows Xbox users to view strikes against their personal data and appeal if they believe the strike is unfair. After discovering that the user logs into the website, a cookie file containing detailed information about the web session will be created in their browser. This cookie file contains an unencrypted Xbox user ID (XUID) field.
Harris was able to use standard browser tools to edit the XUID field and replace it with the XUID of the test account he created for the Xbox Bug bounty program. Once he replaces the value and refreshes the page, he can see other users’ emails. Watch the video of Harris in detail.
Note that other subdomains are not affected by this error. The report stated that Microsoft patched the bug last month and encrypted XUID. This is a server-side fix, and a Microsoft spokesperson told ZDNet that users do not need to take any action. In addition, although the vulnerability is not included in the company’s vulnerability bounty program, Harris features Harris in its vulnerability bounty hall of fame. However, there is no monetary reward.
This vulnerability may leak the actual email ID to hackers, and then use it for malicious purposes. The shocking thing is that no special tools are needed to access other users’ email IDs.
This is the best TV under Rs. 25,000? We discussed on the weekly technical podcast Orbital, you can subscribe via Apple Podcast, Google Podcast or RSS, download the episode, or click the play button below.