A network infrastructure manager claims that lax security on the official Xbox website is behind the recent spate of Xbox Live account thefts.
Analog Hype reports that the security flaw was found by Jason Coutee, who had his own account stolen and 8,000 Microsoft Points purchased using his stored credit card details.
When he contacted Microsoft support to notify them he was told that the company would not be able to refund him for the 8000 MSP, but offered to lock his account down and investigate, which could take up to 30 days. He declined, opting to use his professional experience and investigate by himself. A couple of weeks later, he found a hole in Xbox.com security.
It appears that Xbox.com allows an indefinite number of password attempts, requiring only that a Captcha code be input after eight failed attempts. Input the correct Captcha and you get another eight attempts, meaning that by using a password-generating script a hacker can brute-force control of Xbox Live accounts without fear of the account being locked down as a precaution after too many failed attempts.
So, Coutee played a few rounds of Halo: Reach, noted down the Xbox Live gamertags of his opponents, and Googled them in the hope of finding related email addresses. Xbox.com was a help here, as it makes clear whether an email address has an associated Windows Live ID or not after a login attempt.
Coutee attempted to report his findings to Microsoft but claims he was given the runaround, with HQ giving him a support email address, a helpline pointing him to the Xbox.com forums, while Microsoft's piracy and phishing department simply declined to help at all.
We've verified that Coutee's claim about the eight-attempt system is correct, and have sought comment from Microsoft. Whether this is to blame for the recent spate of accounts thefts or not, it's troubling that so large a company, with so much experience in network solutions, is apparently content leaving its back gate on the latch like this.
Source: Analog Hype
Comments
14There's a hole in this argument.
How does this brute-force attack method get around the requirement to verify the captcha image after 8 failed attempts? Surely it still needs manual intervention, so any brute-force attack is only 8x as fast as doing the whole thing manually. Doesn't sound very efficient or even plausible to me... am I missing something?
Certainly the fact that the account is never shut down is a concern, but it still seems to require being very lucky to hit upon the password pretty quickly or sitting for an untold amount of time verifying captcha images.
Yeah there is no brute force hacking method that can circumvent captcha. There's a reason it is so widely used; it makes it impossible to brute force a password on the web.
Not saying MS doesn't have a security flaw someone on their Xbox login system; they obviously do. There are waaay too many savvy people getting their account hacked to even remotely consider they are getting phished. It certainly isn't brute forcing a password.
In fact I wish more companies only forced me to use captcha only if I fail my password a number of times in a row.
Captcha can be overcome. Why do you think people keep reinventing captcha?
It's laughable that people think Captch is full proof.
Okay, now I've finally seen the latest article on Edge on this, and read the original analoguehype article, I see there *is* a way to bypass the captcha mechanism.
Granted, each email attempt could run into the billions of tries, but some may flounder more quickly. Guess it depends how the brute-force attack approaches it. Probably the longer the password is, the longer an attack would take... and would they reasonably place a limit on each attempt so as not to spend a month trying for one that might not have details worth stealing anyway? Right everyone, make sure your password is long enough!
Good grief, this is now the third time you've tried to stick the blame on an MS security hole without any evidence.
A cynic might think you've lost points and can't accept you might have put the password into a phising scam or been lax with security.
The title of the piece is extremely misleading because there really is no evidence that this is the reason for all the hacked accounts.
edit: double post :/
Xbox has its flaws. I tried deleting an email from hotmail, but since it's linked to xbox live, I can't. Microsoft techs have said that in order to delete my email from xbox live I must first make another email account (which I will never use) and then I can delete my hotmail account. Sounds to me like Microsoft is just sweeping dirt under the rug here. I don't want to go out of my way to make another email account. It defeats the purpose of having a tech support that should help with such problems.
The original article on Analog hype does mention that the captcha is easily circumvented by clicking on “try with another Live ID” which resets the 8 try limit back to one.
Ah yes, didn't read that... I made time to read the Edge article, but not to refer to its source. Why Edge didn't mention it themselves...
It's the same Windows Live system that underlies practically every MS web site. Don't you think that if it was "easily" hackable there'd be more stuff getting hijacked than a few poxy Xbox accounts?
www.hackedonxbox.com/ is a great site that has been doing the rounds recently, about a chick that experienced the same thing happen to her, only for microsoft to give her a great little run around. People are hacking the accounts, buying a family gold pack which allows the user to distribute microsoft points, and then buying a large amount of points, distributing it amongst some shiny new gamer tags and selling those accounts online for real moneyz. Clever really, I do hope Microsoft stop this from happening to others and quit ignoring customer pleas...
Do you want to enter your password everytime you buy something like on an iDevice because people can't keep their passwords safe?
We like to think that today's internet security is far enough along that the days when buying anything online was a risk are gone, but there have been far too many similar incidents recently.
Unrelated security tips:
Remember to use a low-grade password if the website doesn't use any encryption.
Keep in mind that every failed password attempt could be logged by an unscrupulous website and collected into a probable-pw list associated with your email address to be used on other services.
I've even had some websites send password recoveries that put my password in plaintext in my mailbox ( They're supposed to shadow them, ffs!). Setting a password on a website is trusting that website to guard the password.