A serious flaw in Xbox Live allowed hackers to easily find out the email address used to register any Xbox gamertag.
Last week, an anonymous hacker reached out to Motherboard claiming to be able to discover the email behind anybody's Xbox gamertag. By default email addresses linked to gamertags are private. Motherboard was able to verify the existence of the vulnerability by providing the hacker with two gamertags, including one created just a few minutes earlier for testing purposes. The hacker sent back the email address used to register the two accounts within seconds.
A second anonymous hacker said that the bug was in the Xbox Live enforcement portal, where gamers can contact the company's team that polices the Xbox online community.
After Motherboard contacted Microsoft last week, the company patched the bug. Initially, the Microsoft Security Response Center, or MSRC, a part of the company that protects customers from being harmed by security vulnerabilities in Microsoft's products and software, didn't consider the bug to be a serious security risk.
"We received multiple reports regarding this and have informed the appropriate team about the issue and will let them address this as needed," the MSRC said in an email on Monday, responding to Motherboard's bug report. "An email may be considered sensitive information, however, since it provides nothing else to identify the issuer, is not something that meets MSRC bar for service. As such, MSRC is not tracking the issue and will leave it to the product group to determine a mitigation as needed."
On Tuesday, a Microsoft spokesperson confirmed that the company “released an update to help protect customers.”
Do you, or did you used to, work at Microsoft? Do you know anything else about the company? We'd love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, on Wickr at lorenzofb, OTR chat at email@example.com, or email firstname.lastname@example.org.
The hacker who alerted Motherboard of the bug asked us to publish this story only after a fix.
"If you publish the article before it's patched it will get found within 2-3 minutes. It's the easiest vulnerability I've ever found,” the hacker told Motherboard in an online chat.
The hacker explained that it would have been possible to abuse the bug and iterate gamertags to find out the email addresses of hundreds, if not thousands of Xbox players. In 2017, hackers took advantage of a similar bug in Instagram and even created a searchable database to dox Instagram celebrities. The bug could have been used to harass and dox anyone with a gamertag, a common form of abuse in the gaming community which sometimes has fatal consequences.
The anonymous hacker who initially told us about the bug isn't the only one who knew about it. Earlier this week, another anonymous hacker reached out and asked me if I was aware of "that Xbox zero-day," using the technical term for unknown vulnerability. The hacker then told me that he was referring to a technique to "pull any email from any gamertag," which relied on a bug within the Xbox Live Enforcement website, which is where users can report other gamers who use offensive language, post offensive videos, cheat, or harass other gamers.
"That's a big privacy nightmare," said a security expert who works in the gaming industry, and asked to remain anonymous because they were not authorized to speak to the press. "That's some irony right there, if their trust and safety portal is leaking personal information."
Amir Khashayar Mohammadi, a cybersecurity researcher, said that he wasn't surprised about the bug.
"I know a bunch of people who’ve been snatching some OG tags for years now," he said, referring to the concept of rare, valuable gamertags. "Wonder how long the method has worked for."