According to a report by ZDNet, the bug in enforcement.xbox.com was spotted by Joseph “Doc” Harris and a team of security researchers. The website, enforcement.xbox.com, allows Xbox users to view strikes against their profile, as well as file appeals if in case they feel the strike is unfair. It was found that after a user logs in to the website, it creates a cookie file with details of the web session in their browser. This cookie file included an unencrypted Xbox user ID (XUID) field.
Harris was able to use standard browser tools to edit the XUID field and replace it with the XUID of a test account he had created for the Xbox bug bounty programme. Once he replaced the value and refreshed the page, emails of other users were visible. Check out the video by Harris detailing the same.
It was noted that other subdomains were not affected by this bug. The report states that Microsoft patched this bug last month and encrypted the XUID. It was a server-side fix and a Microsoft spokesperson told ZDNet that users do not need to do anything. Additionally, while the bug was not covered under the company’s bug bounty programme, it featured Harris as a contributor in its Bug Bounty Hall of Fame. However, there was no monetary reward.
The bug had the potential to leak actual email IDs to hackers which could then be used for malicious purposes. What’s alarming is that no special tool was required to get access to other user’s email ID.
Which is the best TV under Rs. 25,000? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.