Has the Xbox Live account exploit issue been discovered?

We have been covering the news on how a number of Xbox Live users have discovered that their accounts have been taken over by hackers and used to pay for Microsoft points and other content for Microsoft's Xbox 360 console. The account users have insisted they have not been the victims of any phishing or any other online scams that might have been used to obtain user name and passwords. Microsoft has also insisted that the Xbox Live service has not been the subject of a cyber attack.

Now it appears that a person has discovered a way to gain access to Xbox Live accounts that doesn't involve phishing or the direct hacking of the Xbox Live network. As it turns out, it may be a flaw in the Xbox.com web site. Eurogamer.com reports that a person named "Jason" contacted them with the claim that he had found an issue with the Xbox.com web site. The information was later given to AnalogHype by a person named Jason Coutee.

Basically, the two sites state that a person can take over an Xbox Live account by searching for Xbox Live Gamertags in search engines. A person's Windows Live ID can sometimes be discovered by these search methods. Then a person users that Windows Live ID and a password-generating script on the Xbox.com web site. This method can also be used to find the user's password in some cases.

Eurogamer said it has contacted Microsoft about this discovery. So far it appears that Microsoft is aware of this problem but there's been no official response to this apparent loophole in their system.

Report a problem with article
Previous Story

Nokia Lumia 900 to be released in mid-March?

Next Story

Microsoft Hardware celebrates 30 year anniversary

36 Comments

Commenting is disabled on this article.

Microsoft finally made it so that you can turn off Xbox live gold auto-renew from their web site, but you still can't remove your credit card from their system without calling them. Complete and utter bull****.

This isn't the cause of the exploit, as has been discuss in the thread earlier today.
Yes, this security flaw will confirm if a email address is valid, but the password still has to be brute forced. That takes years and years for the average "non-obvious" password.

Moral of the story, this isn't the exploit.

Astra.Xtreme said,
This isn't the cause of the exploit, as has been discuss in the thread earlier today.
Yes, this security flaw will confirm if a email address is valid, but the password still has to be brute forced. That takes years and years for the average "non-obvious" password.

Moral of the story, this isn't the exploit.

a modern GPU can brute force an 8 character password in 4hrs. it can do 12 characters in a matter of days. if account lockouts for invalid attempts aren't implemented then it will take hours/days not years. and imagine if you have 2 or 3 top cards in SLI mode, the time can be reduced even more.

m0nty said,

a modern GPU can brute force an 8 character password in 4hrs. it can do 12 characters in a matter of days. if account lockouts for invalid attempts aren't implemented then it will take hours/days not years. and imagine if you have 2 or 3 top cards in SLI mode, the time can be reduced even more.

They can brute force a local password quickly using GPUs but this is a server-side form, it will take significantly longer. Cracking a password using a GPU can do billions of checks per second, brute forcing a form on a server would be lucky to reach 20,000 checks per second (50,000 times slower minimum)

Edited by ZakO, Jan 13 2012, 11:31pm :

ZakO said,

They can brute force a local password quickly using GPUs but this is a server-side form, it will take significantly longer. Cracking a password using a GPU can do billions of checks per second, brute forcing a form on a server would be lucky to reach 20,000 checks per second.

Exactly... a server attack would take many many times longer, this isn't even close to being the real issue.

My opinion, I still suspect phising or poor passwords.

Astra.Xtreme said,
This isn't the cause of the exploit, as has been discuss in the thread earlier today.
Yes, this security flaw will confirm if a email address is valid, but the password still has to be brute forced. That takes years and years for the average "non-obvious" password.

Moral of the story, this isn't the exploit.

Years and years? Um, not really for most people. Using base user ASCII and common suffix and prefix combinations, there are a bunch of accounts that I could yank from Neowin if that was the intent.

For example, how many people use common things like 0 instead of O and Captilaization differences or a !@# prefix, etc. There is a common database of this stuff hackers use.

Also, if you have a good 'cold reader' all they would have to do is meet you in person and know your password. Sadly, people like patterns and are human, which makes them a security flaw. (If it was important, I could hire a team of 'readers' like Derren Brown and target a Starbucks or common place that people go that I wanted to obtain a ton of passwords. This is why the human element needs to be removed from the equation completely.)

ZakO said,

They can brute force a local password quickly using GPUs but this is a server-side form, it will take significantly longer. Cracking a password using a GPU can do billions of checks per second, brute forcing a form on a server would be lucky to reach 20,000 checks per second (50,000 times slower minimum)

Not if using multiple computers...

This is how most of the successful hackers like Anonymous and others were able to hit such large and 'sort of' secure installations, as they had 5000-10000 botted Linux servers at their disposal. (Just as a reminder of how the Linux security myth works against people. To this day, the majority of the 'confessed servers' used stilll don't know they are rooted. And this doesn't even move on to the larger threat of the compromised Linux routers leaching information.)

Hacking 'users' and Windows is so 10 years ago, why bother when you can have direct packet access and the processing power of a small army of 'always on' servers.


m0nty said,

a modern GPU can brute force an 8 character password in 4hrs. it can do 12 characters in a matter of days. if account lockouts for invalid attempts aren't implemented then it will take hours/days not years. and imagine if you have 2 or 3 top cards in SLI mode, the time can be reduced even more.

Add in serveral bot servers at your disposal, and cycle through a long list of names as each times out, and you could have a lot of account passwords in a very short time.

(Using the GPU wouldn't even be necessary, as it would be faster than the lockouts hit anyway. Besides, with WebGL, a web site could be using Firefox or Chrome users to do ths for them through the GPU just by visiting their site. Another reason to avoid WebGL?)

thenetavenger said,

Add in serveral bot servers at your disposal, and cycle through a long list of names as each times out, and you could have a lot of account passwords in a very short time.

(Using the GPU wouldn't even be necessary, as it would be faster than the lockouts hit anyway. Besides, with WebGL, a web site could be using Firefox or Chrome users to do ths for them through the GPU just by visiting their site. Another reason to avoid WebGL?)


webgl is ran client side...

thenetavenger said,

Years and years? Um, not really for most people. Using base user ASCII and common suffix and prefix combinations, there are a bunch of accounts that I could yank from Neowin if that was the intent.

For example, how many people use common things like 0 instead of O and Captilaization differences or a !@# prefix, etc. There is a common database of this stuff hackers use.

Also, if you have a good 'cold reader' all they would have to do is meet you in person and know your password. Sadly, people like patterns and are human, which makes them a security flaw. (If it was important, I could hire a team of 'readers' like Derren Brown and target a Starbucks or common place that people go that I wanted to obtain a ton of passwords. This is why the human element needs to be removed from the equation completely.)

That doesn't work that way for most people. Hence why I said it.
And yes it would take years and years especially with the script method they would have to use to for this password entry scheme. It's a very very slow method.

My account was compromised back in september as described above (with a real password) and I've been fighting MS since trying to get my money back. $150 in MS points. I should have kept them instead of asking for a refund. When I reported it my account was on suspend for 3 weeks for investigation, They said they were going to give the refund back and its still been all this time. I call them weekly now to try and find out when im getting my money back...

RickoT said,
My account was compromised back in september as described above (with a real password) and I've been fighting MS since trying to get my money back. $150 in MS points. I should have kept them instead of asking for a refund. When I reported it my account was on suspend for 3 weeks for investigation, They said they were going to give the refund back and its still been all this time. I call them weekly now to try and find out when im getting my money back...

So what do they do once your account has been hacked? Don't the points stay on your xbox live account? I haven't added points in a while, I don't remember my full card number and other information on the site. I may be wrong.

Well now this would be rather embarrassing for Microsoft, wouldn't it? After all those denials about being compromised and constantly telling people that they've been phished...

Kushan said,
Well now this would be rather embarrassing for Microsoft, wouldn't it? After all those denials about being compromised and constantly telling people that they've been phished...

They haven't been compromised, read the article.

funkydude said,

They haven't been compromised, read the article.

Uhhh, perhaps you should take your own advice. I'll even narrow down the important bit for you:

Then a person users that Windows Live ID and a password-generating script on the Xbox.com web site. This method can also be used to find the user's password in some cases.

There's a problem with the site that allows people to access accounts and/or find out that person's password. Not the person's fault.

Kushan said,

Uhhh, perhaps you should take your own advice. I'll even narrow down the important bit for you:

There's a problem with the site that allows people to access accounts and/or find out that person's password. Not the person's fault.


It's totally the person fault for using crappy password.

There's a problem with the site that allows people to access accounts and/or find out that person's password. Not the person's fault.

Sorry brute forcing doesn't count as an exploit. A complex password would takes a long long time to crack. An extremely complex password, don't even bother.

Kushan said,
Well now this would be rather embarrassing for Microsoft, wouldn't it? After all those denials about being compromised and constantly telling people that they've been phished...

Even if they incorporate a timeout/lockout policy on the web site, the script would move on to the next until it was unlocked again.

Basically this 'exploit' can be hampered a bit, but would involve fully locking the accounts until the users contact technical support, which would be a pain, as technical support could only queue a password reset, and depending on the user, may not be an easy process and may take a few days due to the secuirty safeguards in the LiveID/Passport system XBox Live uses.


This is about as much as an exploit, as me sitting sitting on your doorstep for several weeks, entering in your keycode in your house's automated lock keypad.

Kushan said,

Uhhh, perhaps you should take your own advice. I'll even narrow down the important bit for you:

There's a problem with the site that allows people to access accounts and/or find out that person's password. Not the person's fault.

did you miss the part about the password is brute forced... craptastic password is craptastic password. It would be the same if I went the a site and put in Kushan and random passwords till I got it right. woooo let's blame that on MS.

/eyeroll

No, the problem is that this script doesn't lock out after so many attempts at logging in. That's the issue, that's why Xbox live is the attack vector and not Live mail or any other service that uses the same login details. It IS an exploit, it's not as effective as other attacks, but it's still a lot more effective than the usual methods for brute forcing a log-in. "If it incorporated a timeout/lockout policy" it would nip this in the bud quite quickly as if you can only brute-force 3 or 4 passwords an hour, it'll take years to crack even a simple password, whereas being able to try hundreds a minute is a problem.
The fact that Microsoft even also ALLOWS those crappy passwords is also a debatable issue.

/- Razorfold said,

Sorry brute forcing doesn't count as an exploit. A complex password would takes a long long time to crack. An extremely complex password, don't even bother.

A complex PW is indeed harder to crack but....... depending by who you are and therefore what kind of hardware you have access to the time needed to brake it could be very short, shorter than what a lot of people could even image......

Said that I do not think that people with big hardware would go after Xbox accounts; bank accounts would be more appealing....... at least I guess. :-)

Sounds like they just don't log attempts like most websites do. I know that you can script code redemption so that when you see large code drops, it'll just cycle through them. This seems more like a brute force than anything or significance.

1) Find gamertag
2) Launch script on website using gamertag
3) Hope gamertag password is simple

Not much of an exploit.

shinji257 said,

The thing is they already have one.

As the article says, the xbox.com website appears to not have one, hence this BF attempt is able to work.

MS need to simply update its security on the xbox.com site to that as Hotmails

virtualmadden said,
Sounds like they just don't log attempts like most websites do. I know that you can script code redemption so that when you see large code drops, it'll just cycle through them. This seems more like a brute force than anything or significance.

1) Find gamertag
2) Launch script on website using gamertag
3) Hope gamertag password is simple

Not much of an exploit.

My mom's xbox account got hacked through this method. I know her password and it's far from simple. They definitely should have a lockout period.

Phantom Spaceman said,
My mom's xbox account got hacked through this method. I know her password and it's far from simple. They definitely should have a lockout period.

If her password is really "far from simple", I doubt this technique was used to hack her account. A password such as "P@$$w0rd123" would take years to brute-force.