3 replies to this topic

[Demon_Skeith]

Security on Xbox Live is a growing concern, and a hacked subscriber has found one more reason to make us paranoid. Jason Coutee had $100 stolen after someone broke into his account, but rather than let Microsoft investigate the how and why, the network infrastructure manager took matters into his own hands. Coutee found an egregious exploit on Xbox.com that acts as a loophole for password thieves.

Failing to log into your Xbox Live account using your Windows Live ID eight times in a row presents you with a few options. You can recover your password with the usual "Reset your password" option. You can try entering it a ninth time, with a CAPTCHA box to fill in, thus proving you're not an Internet robot from the future. Finally, you could try logging in with another ID. Clicking that link brought me back to my login page with my Live ID already filled in. The password box was waiting for me -- the CAPTCHA box was gone.

Hackers, then, could run a script that enters various passwords for Live accounts until it eventually busts into your account. Failing entry on that eighth attempt, hackers could avoid the CAPTCHA aimed at stopping them by way of the "Sign in using another Windows Live ID" link. AnalogHype reports this gives the user eight more attempts without a CAPTCHA interruption, which was not the case in my experiment. I got the prompt each time I failed to log in after that eight -- but I could loop back around and just try again without the CAPTCHA again.

What does this mean for you? Well, you're vulnerable. Anyone with know-how could cook up a script to run passwords and circle back using that link all day and potentially break into your account to steal your stuff. Time to strengthen those passwords, folks.

UPDATE: Microsoft has addressed concerns surrounding an alleged Xbox.com hacking trick as reported here at IGN. The official line is as follows:

"Microsoft can confirm that there has been no breach to the security of our Xbox Live service. The online safety of Xbox LIVE members remains of the utmost importance, which is why we consistently take measures to protect Xbox LIVE against ever-changing threats. Security in the technology industry is an ongoing process, and with each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it. We continue to evolve our security features and processes to ensure Xbox LIVE customers information is secure. Online fraud and identity theft are industry-wide problems, and as such people using any online services should set strong passwords, not share those passwords across multiple services and refrain from sharing any personal details that could leave them vulnerable. As always, we highly recommend our members follow the Xbox LIVE Account Security guidance provided at http://xbox.com/security to protect your account."

Microsoft also specifically states, "This is not a 'loophole' in Xbox.com. The hacking technique outlined is an example of brute force attacks and is an industry-wide issue." In addition, it reiterated that account compromises are often a result of phishing scams and malware used to snatch your password.

source

[Joshua]

I like how they deflect the allegations, and state that nothing is wrong. That is obviously a loophole, and it is a security flaw.

[Demon_Skeith]

they just don't want to join sony and Nintendo in the 'we have been hacked' circle.

[Ikram45]

Well then I hope we don't get to hear news that this time XBL has been hacked after PSN.