Microsoft has patched a bug in the Xbox website that could have led threat actors to link Xbox gamer tags to the users’ real email addresses. According to ZDNet’s report, the vulnerability was reported recently to Microsoft through the company’s recently launched Xbox bug bounty program. In an interaction with ZDNet, Joseph ‘Doc’ Harris, one of the several security researchers who reported the issue to Microsoft, stated that the bug was located on enforcement.xbox.com, the web portal where Xbox users go to view strikes against their Xbox profile and file appeals if they feel they have been unfairly punished for their behavior on the Xbox network.
As per the report, once users log in to the website, the Xbox Enforcement site creates a cookie file in their browser replete with details about their web session so that the gamer does not have to re-authenticate the next time they revisit the site.
Harris revealed that the portal’s cookie file contained an Xbox user ID field that was unencrypted. Harris subsequently edited the XUID field and replaced it with the XUID of a test account he created and had used for testing as part of the bug bounty program.
A Microsoft spokesperson revealed that the fix was deployed server-side, and there are no additional steps that users need to be taken to stay protected.
As per the report, a security analyst working for Microsoft’s Security Response Centre, which trials bug reports, revealed that the Xbox bug bounty program did not cover the bug, but the company still agreed to feature Harris on its Bug Bounty Hall of Fame as a contributor.