Xbox Website Loose Security Is The Source Of Hacked Xbox Accounts

Earlier this week we reported about the increasing number of Xbox LIVE users whose accounts were stolen in the past few days. Microsoft downplayed the issue and disregarded it as a result of phishing scams that are not related to Xbox LIVE security, but today one user seems to have discovered how hackers exploited Xbox.com website to steal those accounts.

The loophole was discovered by Jason Coutee a network infrastructure manager who published it through AnalogHype.com. According to Coutee, the process starts simply by typing any gamertag into Google to find out the windows live id associated with it. After that all the hacker has to do is run a brute force script that would try a dictionary of passwords with this id on Xbox.com.

Insisting on burying its head on the sand, Microsoft issued a statement claiming that "this is not a 'loophole' in Xbox.com. The hacking technique outlined is an example of brute force attacks and is an industry-wide issue."

According to our security experts, brute force attacks such as the one described here are one of the most basic attacks and properly designed online systems are impervious to them. For example, the Xbox.com brute force attack can be mitigated by enforcing an increasing delay between login attempts and by requiring the user to enter a Capatcha after a certain number of failed logins. In fact, Xbox.com already asks the users to enter a Capatcha after 8 failed login attempts; problem is, the page contains a link to try a different username which resets the failed attempts counter once clicked.

Microsoft didn't forget to assert in its statement that "Microsoft can confirm that there has been no breach to the security of our Xbox Live service."

Add new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

Comments

Corsair Piracy ?

I wonder if this wasn't made on purpose by groups of Hackers under government orders... if you think of how many rival countries, the US have, it's a perfectly logical point of view.

-Dr Strange-

This is partly wrong.

While I would agree that the methods taken are likely the way the accounts were hacked into there is on little error in Mr. Coutee's believed methods. My account was hacked into and my password did not contain words. It was letters and numbers and
was 14 digits long. A "dictionary of passwords" simply seems unreal in my case.

There is more to what happened than Mr. Coutee's theory and his working method.

Its could take a long time,

Its could take a long time, but if they had access to some sort of super computer or a crap load of servers, in theory, it could be done.
Starting with the minimum amount of letterers, numbers, and characters. ie: aaaaaa aaaaab or aaaaa1 aaaaa2 or 111111 111112 or ###### and so on.

Even random letter number characters can be generated.

I suppose this is a

I suppose this is a possibility however if they already broke the 14 digit mark I would imagine that almost every account they know of is already jeopardized. This could be millions of accounts if it is a team of people doing this.

What Microsoft should do is simply if X amount of tries lead to failure the console itself gets banned from the account until a call to Microsoft fixes the problem with verifying the legitimacy of the account ownership. Since the hacker could never do this every account would be safe from this method.

On the plus side my account getting hacked was profitable to me. I got my MS points back 2 months of Xbox Live free and 100 extra MS points. Only took a week for them to resolve this issue.

Easily possible

The dictionary of passwords can be created for all possible combinations up to the password length limit. A person can then set up a script to try the most common first, then go to the rest. The script could even reset the retry count by autoclicking the link or by filling in the captcha. They can set up multiple account brute forces and do them all at the same time while they go about their lives. The script will write down or perform an alarm whenever there is a success. You couldn't ban accounts from the console, as people don't brute force on the console, they do it on the computer.

I actually never used my

I actually never used my credit card on Xbox Live, I used paypal to make purchases of Microsoft points and I never keep the accounts associated with each other like Microsoft tries to do. Only my left over balance of MS points were stolen.

I fail to see the logic in your post however and why you are being insulting towards me. I know that some people have gotten charges because of this however if your credit card is not safe with a major corporation that takes large measures towards security where is it safe to use it? You are extremely illogical.

But.............

The other way around it is to track that user name on different websites like eBay for example and then use brute force attacks on them.
Once the attack is successful it would be a piece of cake to access the Xbox live accounts because people generally use the same password over multiple sites.

The only proviso to the above is figuring out their email addresses for the other sites.
The Xbox site will most likely be a @live or @hotmail anyway.

Microsoft know they have a problem but are just brushing it aside because they don't want to have to do what Sony did last year.

Add new comment