As the company struggles to meet to surge in demand for new Xbox Series gaming consoles, Microsoft has patched a bug in the Xbox website that could have allowed hackers to link usernames to the real email addresses.
After users log in, the Xbox Enforcement site creates a cookie file in their browser with details about their web session, so they won’t have to re-authenticate the next time they visit the site again.
“This portal’s cookie file contained an Xbox user ID (XUID) field that was unencrypted,” reports ZDNet quoting Joseph ‘Doc’ Harris, one of the several security researchers who reported the issue to Microsoft this year.
Harris edited the XUID field and replaced it with the XUID of a test account he had created and had used for testing as part of the Xbox bug bounty programme. The vulnerability was reported to Microsoft through Xbox bug bounty programme.
“Tried replacing the cookie value and refreshing, and suddenly I was able to see other [users’] emails,” Harris was quoted as saying. Microsoft has announced the release of Xbox Series X and S as its biggest Xbox launch ever, though it did not provide any specific sales figures.
Although the company did not classify the Xbox bug for monetary rewards, it could have allowed threat actors to link any Xbox gamer tag to a gamer’s real email address.
Owing to the huge demand, Xbox Series X and Series S consoles are projected to be in short supply until at least April next year.