Xbox.com Security FlawNews
As many of you are aware there has been quite the spout of Xbox Live accounts get hacked/compromised recently. Whether they are through the FIFA hack, or otherwise we all know a lot of people are getting hacked especially more so recently. Well, one customer of Xbox Live seems to think he has found what might actually be the flaw in their system and why his account amongst other’s might be getting compromised. As much as Xbox might want to put the blame on the consumer in this instance it seems as though it is the company’s fault.Where am I getting at with this? Well, I shall tell you the story of Jason Coutee!
Well, Coutee contacted Microsoft after he found out that his account had been stolen and 8,000 Microsoft Points had been purchased using his credit card details that had been stored on his account. When he notified them of what happened they refused to refund him for the 8,000 Microsoft Points and instead said that they could lock his account and investigate what happened. Which can take at LEAST up to 30 days. He declined, and actually opted to investigate it himself using his professional experience. A couple of weeks later he found a hole in the Xbox.com security.
Unlike most websites, it appears that the Xbox.com website allows and indefinite number of password attempts, requiring only a Captcha code be input after eight failed attempts. So, if you put the Captcha in correctly, you get another eight attempts, meaning if you use a password-generating script a hacker can take control of Xbox Live accounts without fear of the account being locked down as precaution after too many failed attempts.
So, to test the theory Coutee played a few rounds of Halo: Reach and took note of the Xbox Live gamertags of his opponents, and then proceeded to Google them in the hope of finding a related email address. Xbox.com was a help here as it makes clear whether an email address has an associated Windows Live ID or not after a login attempt.
After gathering his findings, Coutee contacted Microsoft but his claims were given a runaround. HQ gave him a support email address, a helpline pointing him to the Xbox.com forums, while Microsoft’s piracy and phishing department simply declined to help all together.
Unfortunately, this seems all too realistic and other game websites have continued to look into this issue and actually verified his findings. Now, if Microsoft chooses not to do anything about this, then they are going to have a lot of explaining to do when more people find this flaw in the future. But here is my question to you. Do you think this is actually one of the reasons a lot of Xbox accounts are getting hacked? Or do you think this is just one of those security issues that probably very few people actually use, or even know about? Let us know your opinion on the flaw, and also your feelings on how Microsoft is handling the findings.