Microsoft has patched a bug in the Xbox website that could have led threat actors to link Xbox gamer tags to the real email addresses of the users. According to a report by ZDNet, the vulnerability was reported recently to Microsoft through the company's recently launched Xbox bug bounty program. In an interaction with ZDNet, Joseph 'Doc' Harris, one of the several security researchers who reported the issue to Microsoft, stated that the bug was located on enforcement.xbox.com, the web portal where Xbox users go to view strikes against their Xbox profile and file appeals if they feel they have been unfairly punished for their behaviour on the Xbox network.
As per the report, once users log in to the website, the Xbox Enforcement site creates a cookie file in their browser replete with details about their web session so that the gamer does not have to re-authenticate the next time they visit the site again.
Harris revealed that the portal's cookie file contained an Xbox user ID field that was unencrypted. Harris, subsequently edited the XUID field and replaced it with the XUID of a test account he created and had used for testing as part of the bug bounty program.
A Microsoft spokesperson revealed that the fix was deployed server-side and there are no additional steps that users need to be taken to stay protected.
As per the report, a security analyst working for Microsoft's Security Response Centre, which trials bug reports, revealed that the bug was not covered by the Xbox bug bounty program, but the company still agreed to feature Harris on its Bug Bounty Hall of Fame as a contributor.
source https://www.firstpost.com/tech/gaming/microsoft-reportedly-fixes-xbox-bug-that-could-have-leaked-user-email-ids-through-gamer-tag-9066291.html
