Is this the hack used to exploit Xbox Live accounts?

joshuaboy
joshuaboy Members Posts: 10,858 ✭✭✭✭✭
edited January 2012 in IllGaming
Fraud victim appears to work it out.


Last week we asked if Xbox Live had been hacked. We used the detailed account of Xbox Live fraud victim Susan Taylor to suggest that yes, it had.

After publishing the article, Eurogamer was approached by half a dozen other readers who had experienced similar exploitation on Xbox Live.

All the while, Microsoft staunchly denied any such security breach on Xbox Live.

But now we may have discovered how those Xbox Live accounts were broken into.

Eurogamer was contacted recently by "Jason", a man who claimed to know how to hack into Xbox Live accounts. He offered us an explanation via email last night. But our efforts to validate his claims were cut short by website AnalogHype, which today posted an uncannily similar "how-to", based on information provided by a source named Jason Coutee.

The same Jason? Probably.

Coutee and Eurogamer's "Jason" point the finger at Xbox.com - the website. This allows eight password attempts at a Windows Live ID before CAPTCHA is triggered - the system that presents those squiggly words. A simple password-generating script can apparently be used to exploit this system before CAPTCHA kicks in.

The Windows Live IDs come from playing Xbox 360 games online. Gather Gamertags and Google search them in the hope you'll find related email addresses. Try these as Windows Live IDs and the Xbox.com website will let you know if they're valid - "the email address or password is incorrect" - or not - "That Windows Live ID doesn't exist."

Using these methods you can apparently brute force your way into a near-limitless supply of Xbox Live accounts and use their saved banking details to buy Microsoft Points. That's how it sounds. We haven't tested this, naturally.

Eurogamer has contacted Microsoft about this issue. Microsoft is aware of the issue and Eurogamer is waiting for a formal response.

AnalogHype says that Jason Coutee is a network infrastructure manager who had his own Xbox Live account hacked and used to fraudulently buy 8000 Microsoft Points. He called Xbox Support, who offered to freeze his account but couldn't refund him. He declined the offer and investigated himself, eventually stumbling upon the answer.

Since publishing Susan Taylor's account of Xbox Live fraud, Eurogamer has been contacted by half a dozen other people who were victims of similar exploitation. Thank you, those who have written in. And please do keep letting us know if you've had your Xbox Live account fraudulently used.

Comments

  • joshuaboy
    joshuaboy Members Posts: 10,858 ✭✭✭✭✭
    edited January 2012
    We're all at risk, and we always have been.

    Security on Xbox Live is a growing concern, and a hacked subscriber has found one more reason to make us paranoid. Jason Coutee had $100 stolen after someone broke into his account, but rather than let Microsoft investigate the how and why, the network infrastructure manager took matters into his own hands. Coutee found an egregious exploit on Xbox.com that acts as a loophole for password thieves.


    44_1326486492.jpg
    Clicking the link squared off in red looped me back to my login -- with my email address filled in automatically.



    Failing to log into your Xbox Live account using your Windows Live ID eight times in a row presents you with a few options. You can recover your password with the usual "Reset your password" option. You can try entering it a ninth time, with a CAPTCHA box to fill in, thus proving you're not an Internet robot from the future. Finally, you could try logging in with another ID. Clicking that link brought me back to my login page with my Live ID already filled in. The password box was waiting for me -- the CAPTCHA box was gone.

    Hackers, then, could run a script that enters various passwords for Live accounts until it eventually busts into your account. Failing entry on that eighth attempt, hackers could avoid the CAPTCHA aimed at stopping them by way of the "Sign in using another Windows Live ID" link. AnalogHype reports this gives the user eight more attempts without a CAPTCHA interruption, which was not the case in my experiment. I got the prompt each time I failed to log in after that eight -- but I could loop back around and just try again without the CAPTCHA again.

    What does this mean for you? Well, you're vulnerable. Anyone with know-how could cook up a script to run passwords and circle back using that link all day and potentially break into your account to steal your stuff. Time to strengthen those passwords, folks.

    We've asked Microsoft what's going to be done about this security bungle.

    Via 1UP
  • joshuaboy
    joshuaboy Members Posts: 10,858 ✭✭✭✭✭
    edited January 2012
    The company says it's not a loophole...

    UPDATE: Microsoft has addressed concerns surrounding an alleged Xbox.com hacking trick as reported here at IGN. The official line is as follows:

    "Microsoft can confirm that there has been no breach to the security of our Xbox Live service. The online safety of Xbox LIVE members remains of the utmost importance, which is why we consistently take measures to protect Xbox LIVE against ever-changing threats. Security in the technology industry is an ongoing process, and with each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it. We continue to evolve our security features and processes to ensure Xbox LIVE customers information is secure. Online fraud and identity theft are industry-wide problems, and as such people using any online services should set strong passwords, not share those passwords across multiple services and refrain from sharing any personal details that could leave them vulnerable. As always, we highly recommend our members follow the Xbox LIVE Account Security guidance provided athttp://xbox.com/security to protect your account."

    Microsoft also specifically states, "This is not a 'loophole' in Xbox.com. The hacking technique outlined is an example of brute force attacks and is an industry-wide issue." In addition, it reiterated that account compromises are often a result of phishing scams and malware used to snatch your password.
  • bununs alias
    bununs alias Members Posts: 1,060 ✭✭✭✭✭
    edited January 2012
    microsoft aint shiet, when peoples xbox's were dropping like flies due to red rings, they wouldnt acknowledge anything