Earlier this week we reported about the increasing number of Xbox LIVE users whose accounts were stolen in the past few days. Microsoft downplayed the issue and disregarded it as a result of phishing scams that are not related to Xbox LIVE security, but today one user seems to have discovered how hackers exploited Xbox.com website to steal those accounts.
The loophole was discovered by Jason Coutee a network infrastructure manager who published it through AnalogHype.com. According to Coutee, the process starts simply by typing any gamertag into Google to find out the windows live id associated with it. After that all the hacker has to do is run a brute force script that would try a dictionary of passwords with this id on Xbox.com.
Insisting on burying its head on the sand, Microsoft issued a statement claiming that "this is not a 'loophole' in Xbox.com. The hacking technique outlined is an example of brute force attacks and is an industry-wide issue."
According to our security experts, brute force attacks such as the one described here are one of the most basic attacks and properly designed online systems are impervious to them. For example, the Xbox.com brute force attack can be mitigated by enforcing an increasing delay between login attempts and by requiring the user to enter a Capatcha after a certain number of failed logins. In fact, Xbox.com already asks the users to enter a Capatcha after 8 failed login attempts; problem is, the page contains a link to try a different username which resets the failed attempts counter once clicked.
Microsoft didn't forget to assert in its statement that "Microsoft can confirm that there has been no breach to the security of our Xbox Live service."