Pages

Security researchers reported a bug in Xbox Live that can leak users email addresses, Microsoft is half-heartedly releasing the patch

A week ago, two hackers who preferred to remain anonymous approached Motherboard and revealed that there is a bug that is causing some problems in Xbox Live. One of the hackers told Motherboard that they can access and discover the email address of a user through their Xbox gamertag, which is normally not possible. It is a default setting that the email address a user uses to register to Xbox Live and that is linked to Xbox gamertags remains private.

Motherboard decided to look into the matter, but first, to verify the hacker’s claims, they provided them with two gamertags. One of the gamertag was generated just a couple of minutes ago to see how efficiently a hacker can access the email address of a newly generated gamertag. Anyway, that hacker was able to find the email addresses associated with both gamertags within a couple of seconds, and thus, was able to prove that their claim was not wrong.

Another hacker reported to Motherboard that there is a vulnerability in the Xbox Live enforcement portal. This is the portal that connects the gamers with Microsoft’s team that looks upon and takes care of issues that occur within the Xbox online community.

After receiving both these reports and confirming the existence of the vulnerability, Motherboard approached Microsoft and told them about the bug. The Microsoft Security Response Center (MSRC) is Microsoft’s division that takes care of customers from getting harmed by any vulnerabilities in the company’s software or products. When this matter reached the MSRC team, to Motherboard’s utter disappointment, they did not take it seriously at all!

In fact, they announced in an email that they are aware of this issue as they also have received multiple reports about it. But since the hackers can only access the email addresses behind gamertags and not access or discover any other personal details about the users, so it is not a major issue. And since it is not harming anyone because it is not being used to identify any user, so, this issue does not require any intervention as such from MSRC. So, MSRC will not even track this problem and will leave it up to the product group to see and do whatever they deem necessary about it.

That is quite an unexpected response from the ‘safeguards’ of customers of Microsoft! After all this, a Microsoft spokesperson said the next day that the company has released an update to help protect its customers.

Mixed comments and responses from Microsoft make this whole matter worse. Let us see when a proper fix for the bug will come, although the company did provide a patch for it after Motherboard’s report.



Read next: European Legislators Move to Eliminate End-to-End Encryption in Messaging Services Following Terror Attacks

No comments:

Post a Comment