Xbox.com Password Exploit Fingered for XBL Hack
The ongoing hacking of Xbox LIVE accounts has been one of the more evergreen stories in the gaming interwebs for the past few months, ever since it was first discovered that people’s accounts were being hacked to purchase stuff for FIFA 12.
Now, it seems, Eurogamer and AnalogHype have both published their findings into how these hacks have occurred. Both sites seem to have been contacted by one Jason Coutee, who had his account hacked and decided to figure out the exact process that goes into hacking an account.
The first step is to gather gamertags from simply playing Xbox LIVE games, which can be done after a vigorous round of Battlefield 3 or something. Google is the next stop, where hackers will try to match the gamertag with the associated e-mail address—which can then be used to try and log in to Xbox.com.
Once there, hackers will try and test the e-mail addresses they’ve collected to see if they’re valid Windows Live IDs. Xbox.com allows up to eight password attempts before a captcha is presented to the user, and all the while this process can be smoothed out with password-generating scripts. Once the password is found, the hacker gets in to the account and changes the password, the ID, purchases points and games and junk with the user’s attached credit card info, and then sells the ill-gotten games through the internet.
Hackers and computer-savvy people know things like this. I’m going to go out on a limb and say that most (not all) Xbox gamers aren’t totally in the know about how website security measures work—or how they fail. I know that this was news to me—sure, I knew there were methods of hacking into people’s accounts, but I wasn’t aware of how totally easy it was.
As of now, Eurogamer, AnalogHype, and Jason Coutee have contacted Microsoft about the exploit’s ease of use, but haven’t gotten any reply.
“Everybody at Microsoft refused to acknowledge the issue and because of that, gamertags are still being hacked,” remarks the AnalogHype post, offering a potential solution: “Microsoft can easily fix this issue by sending an email to people when there are more than X amount of failed login attempts and by by storing session id’s.”
Our own computer-savvy intern, Landon “Boy Genius” Robinson, explains that he’s pretty familiar with this kind of tactic (or, as I will now call it, “hacktic,” because I’m clever). His suggestion would be for Microsoft to require a log-in name that’s unique and known only to the user who’s trying to log in—in short, NOT the e-mail address you’ve probably got attached to your LinkedIn page, your Facebook account, and all the rest.
These both seem like good measures that Microsoft could start to implement to try and block against what is likely to be the black hats’ current point of entry. Regardless, earlier this week I went ahead and removed my credit card info from my Xbox account—just in case.
It’s funny—I got a PlayStation 3 for the holidays and I’ve been griping about how annoying it is that I can’t do anything with my PSN account from the website. I can’t download demos, I can’t purchase games, and I can’t even add friends from the website. As it turns out, this is probably for my benefit, as the lack of web-based control is a safeguard against getting hacked. Or am I being naïve here too? Help me out, people.
What do you think? Were you familiar with this kind of exploit? What are your suggestions for Microsoft’s next move to combat what seems to be a growing problem?