Xbox Live Vulnerability Exposed! Microsoft Ignored The Truth

2012 January 12

tags: Fifa Hack, Xbox Live, Xbox Live Hacked

by Adrian Pottinger

From what started as a supposed Fifa 12 hack, turns out to be more then that. Xbox Live has a serious security flaw and Microsoft ignored it for way to long. We have uncovered how easy it is for hackers or anybody with some free time to hack your Xbox Live account.

I spoke with Jason Coutee, a network infrastructure manager who had his Xbox Live account hacked. 8000 Microsoft points were purchased on his account, so he did what anyone of us would do and call Xbox support. A transaction for Xbox Live Family Pack was in the middle of being processed and he was able to cancel it before it went through. Unfortunately Xbox couldn’t refund him for the 8000 Microsoft points but offered to freeze his account for 30 days to investigate. Jason declined to the investigation so that he can do his own investigation. For the next couple of weeks Jason went searching for vulnerabilities that may have caused the hack. He then found Xbox 360′s Achilles heel, Xbox.com

The first step was to gather the Windows Live ID’s of gamertags. So after a round of Halo Reach, he gathered a list of gamertags and enter them individually on Google. Thanks to Facebook, Twitter, or any other links that have their email advertised, hackers now have a potential list of Windows Live ID’s. Now the hackers check to see if the email is a valid Windows Live ID. To do this, hackers headed to Xbox.com Typing in the email and a random password like blah.

If the hacker got the error message “account is invalid” they move on to another email.

When the hacker comes across the error message “password is wrong” then that account is in trouble.

Now with a simple script, hackers can brute force their way into your Xbox Live account. The script would batch run a list of potential password, which anybody can find online with a simple Google search. The script will attempt to enter these potential passwords until it gets in. Xbox allows you to enter your password incorrectly 8 times on the website, then it asks for a CAPTCHA code. When hackers get to that CAPTCHA code, there is a link for “try with another Live ID”. Clicking this link resets the CAPTCHA code and hackers can continue to force their way in 8 more times before they need to click the link again. This process can easily be automated by a skilled hacker. Once a hacker is in your account, nothing is safe. Hackers will take your credit card info, Netflix, Hulu Plus, the works.

So what are hackers going to do with your hacked account? Most likely purchase games and Microsoft points, change your gamertag and the email associated with then sell it online. For extra kicks they might also purchase a Xbox Family pack to add 3 more gamertags to their arsenal. Hackers are known to do this several times a day. Making several hundred dollars a day off of Microsoft’s laziness and your money.

Jason Coutee attempted to call Microsoft to report his findings and Microsoft Headquarters gave him the run around. Instructed him to email helpnow@microsoft.com He also tried calling 1-800-4-MY-XBOX where he spoke with a supervisor. The supervisor instructed him to take it to the Xbox.com forums. His latest attempt was with the Piracy and Phishing department at Microsoft who wouldn’t help him with anything Xbox related. Everybody at Microsoft refused to acknowledge the issue and because of that, gamertags are still being hacked. Microsoft can easily fix this issue by sending an email to people when there are more than X amount of failed login attempts and by by storing session id’s.

Thanks to Jason Coutee and Jessey

Pingback: How To Protect Your Xbox Live Account From Hackers - AnalogHype
jmanc82
@AnalogHypeHD thanks guys for the chance to get this out @ign @xboxlivenation @majornelson @gamespot ….. i’ve tried to get u to listen
XboxSupport
@otakuman5000 Thanks for the heads up ^BB
acawn
@GoogleKrome that’s what happened to me
jmanc82
@GoogleKrome @acawn i bet that susan taylor lady that got hacked would love to hear about this? @gamestop @ign @xboxsupport @xboxlivenation
- XboxSupport
  @jmanc82 Did you have any Xbox questions for us today? ^AC
XboxSupport
@GoogleKrome Did you have any Xbox questions for us tonight? ^AC
- GoogleKrome
  @XboxSupport no questions just drawing your attention to an on going Xbox issue with many users
  - XboxSupport
    @GoogleKrome Ok well make sure you take a look at this and follow these suggestions: http://t.co/Y7N2F2tc ^AC
jmanc82
@GoogleKrome @acawn …… hey @ladyelysium figured you like to know I’m also spreading awareness of the issue as I found the security flaw
pullarius1
@CEOJebailey I totally read that url as Anal Original Gangster Hype for some reason. I would totally subscribe to that website.
- CEOJebailey
  @pullarius1 Lol I thought that too, unfortunately it’s a serious post, sad XBOX keeps ignoring it.
  - pullarius1
    @CEOJebailey Yeah. Looks like they’re (we’re) about to get Sony’d :-/
    - jmanc82
      @pullarius1 I know sad right?
Zasz
I’ve also been screwed over by Microsoft in almost the exact same situation. $100 charged to my credit card, called customer service, and they literally told me to call my credit card company to report fraudulent charges by Microsoft as there was nothing they would do other than suspending my account (for a service I pay for and use!) for 30 days. It’s truly just terrible customer service and I urge everyone to remove your credit card from your Xbox Live account.
- DJKrome
  @Zasz I would also upgrade your password to make your password harder to hack
  - Zasz
    @DJKrome Thanks. I did this already, along with changing my secret question/answer.
    Funny story: Microsoft’s customer support line actually wanted me to give them over the phone not only my new password but the answers to my new secret questions. I was pretty shocked they’d ask and I actually hung up the phone. These passwords/answers for many people are the same ones they use on their facebook profiles or email accounts or bank accounts. I wouldn’t be surprised if the customer service people were involved in nefarious activities themselves.
HiRisk808
@CEOJebailey link doesn’t work
- CEOJebailey
  @HiRisk808 It should, here it is again http://t.co/osVkb5P6
  - HiRisk808
    @CEOJebailey the link that you posted on FB worked lol
SangfroidSoul
@TheGhostmayne that shit cray
EASTisLEGEND
@TheGhostmayne @CrackaSteve @Thugnificense @MAYNEMATIC284 @L1LK3LS3Y @SangfroidSoul smh so what does this mean now?
- L1LK3LS3Y
  @EASTisLEGEND @TheGhostmayne @CrackaSteve @Thugnificense @MAYNEMATIC284 @SangfroidSoul i ain’t scurred of no hacker
AceyBongos
@Neural_ Thanks for sending over mate.
Pingback: Why Your X-Box Live Account is Vulnerable (and How to Help) | Gear-Fish Reviews
KennifusPrime
@CEOJebailey This happened to mine. They charged $125 in points. It sucked hard.
- CEOJebailey
  @KennifusPrime how did you notice?
  - KennifusPrime
    @CEOJebailey My debit Visa bank card was tied to my Live account. And I randomly saw two charges on my bank statement. Got it all fixed now.
drunkindunkin
@AnalogHypeHD hey have guys seen the site were these accounts are being sold? If not follow me and I’ll send you over the link.
- Jesszman
  @drunkindunkin Yep! We did a story earlier about that.
OnekSoftGames
@AnalogHypeHD @OtakuDante Also, strong passwords will help against brute force attack, and don’t make it the same as other system passwords
- OtakuDante
  @OnekSoftGames I have a strong password & it is unlike any other password I have, can’t be too cautious these days ;)
Errol Games
That’s why I buy those Microsoft Points at the store instead of attaching credit card info with my Gamertag. It was bad enough I gave the password to Raptr so they could track my stuff.
Pingback: Xbox 360 vulnerability? No, just weak passwords!
DavieMarshall
@AnalogHypeHD @OnekSoftGames But surely that’s an issue true of *any* account on a ‘dictionary’ password? There’s no ‘exclusive’ issue here?
- jmanc82
  @DavieMarshall actually most places lock the account out for a temp period or they send users an email
  - DavieMarshall
    @jmanc82 You’re right. I missed off that bottom bit somehow. An automated account lockdown should be there as standard.
- OnekSoftGames
  @DavieMarshall @AnalogHypeHD that’s right, dictionary, known words and terms, etc
  - DavieMarshall
    @OnekSoftGames @analoghypehd Somehow missed the very last paragraph of the article. The fact there’s no auto-lockdown system is puzzling.
    - maishalineubaue
      @DavieMarshall Get some action tonight, signup right here and obtain some loving http://t.co/f8BtSg6i
    - AnalogHypeHD
      @DavieMarshall @OnekSoftGames That’s the same thing I was saying earlier. I don’t know why they never implemented something like that at all
    - DavieMarshall
      @AnalogHypeHD Apologies for missing it! The dictionary attack is standard as you say, but not alerting the account needs a fix, rapidly.
    - AnalogHypeHD
      @DavieMarshall no problem!
    - OnekSoftGames
      @AnalogHypeHD @DavieMarshall big news stories usually prompt positive actions from big companies, keep spreading the word! :)
nycbf
@visioneyesee good mornin Khalid :)
- visioneyesee
  @nycbf Heyyy where you been at? You’ve been missed deeply :)
  - nycbf
    @visioneyesee Awww :) I knoooow Lol
Pingback: Unauthorized XBL account access may be coming from Xbox.com | VG247
Pingback: Unauthorized XBL account access may be coming from Xbox.com
Pingback: Gamer claims to know how Xbox Live is hacked
jelly564
RT @AnalogHypeHD: Xbox 360′s are getting hacked all over the place. Its important you all take off your Paypal accounts from Xbox Live.
karlstanton
@GrimSanto That’s a Windows Live vulnerability. Crazy…
Videogamegirl
@GrimSanto Been happening for a very long time, I went through this months ago
Nintendud
This is not a security vulnerability, although they should fix the CAPTCHA issue. This website is living up to its name: analogHYPE.
Like with every single web account you make, make sure you have a strong password, and you have little to worry about unless a serious security vulnerability shows up. If you set your password to ‘password’ or a simple dictionary word, you are asking for trouble.
skie
@LOKIOLR I think people with strong passwords are still getting hit. I think that article is great but…There is still a missing piece imho
- LOKIOLR
  @skie Well I’m not sure how fast brute force scripts run nowadays. Also, how many instances they could run at the same time.
KhaLid
Buy your points card and don’t input any info!
Pingback: Windows Live login suggested as Xbox Live security flaw | MensaDad News
Pingback: Exposta a vulnerabilidade para hackear a Xbox Live | Muito Supremo
XboxSupport
@damonfriend Have you contacted phone support regarding your compromised account? ^CB
- damonfriend
  @XboxSupport Yes, they ‘locked’ my account to investigate. I just want a refund since I didn’t make the purchase or download the product
  - XboxSupport
    @damonfriend Totally understand, for that you will want to continue staying in contact with our phone support team ^CB
    - damonfriend
      @XboxSupport Seems like it should be easier. I could probably just dispute the charges faster through my credit card company
    - XboxSupport
      @damonfriend That is also a viable option. Give them a call if you wish :) ^CB
    - damonfriend
      @XboxSupport Is anyone looking into that security flaw? It’s a huge one that is really easy to fix.
    - XboxSupport
      @damonfriend Thanks for the tip. We take security very seriously. Please see these tips. http://t.co/Y7N2F2tc ^LB
    - damonfriend
      @XboxSupport The security of my account was fine, it’s the security of your online login process that is flawed.
    - XboxSupport
      @damonfriend Glad you were able to get the investigation started with our phone team. Hopefully they;re able to help you resolve it soon.^LB
    - XboxSupport
      @damonfriend Glad you were able to get the investigation started with our phone team. Hopefully they;re able to help you resolve it soon.^LB
    - litauwakefield
      @damonfriend In case your like me and really like being social, this is for you http://t.co/Q7zZNdQh
Pingback: Windows Live login suggested as Xbox Live security flaw | Contact Xbox
Pingback: Windows Live login suggested as Xbox Live security flaw
Pingback: NEW Theory in Hacking Xbox Live account » Young man Blog
Pingback: Is Xbox.com to Blame for Frequent Xbox Live Account Hacks? | Softmodding.com
Pingback: Windows Live login suggested as Xbox Live security flaw | Game Ninja
Pingback: Xbox Live Security Issue Found, Microsoft Ignores Problem | Piki Geek
Pingback: Is an Xbox.com security flaw behind recent XBLA account hacks? - 4Player Podcast
Pingback: UPDATE: Microsoft Addresses Xbox.com Exploit « Janita Ilg Web Place
Pingback: Is Xbox.com to Blame for Frequent Xbox Live Account Hacks? | xboxyx.com
Pingback: Windows Live login suggested as Xbox Live security flaw | 360 Games
Pingback: Xbox Live hacking is a very real problem | Plagueborn Gaming
voteDC
@TehEmperorsHand Read about this on the forum. One of the reasons the old play I use my one email address is for my gamertag.
Pingback: Is Xbox.com to Blame for Frequent Xbox Live Account Hacks? | Wholesale Directory
Pingback: UPDATE: Microsoft Addresses Xbox.com Exploit | Rocket Punch!
Pingback: Report: Xbox.com Password Flaw Behind Recent 'Hacking' Woes? | Video Game Deals & UK News | Dealspwn.com
Pingback: Xbox.com security flaw
AngryFacing
Hey, Analog Hype. How about this, go into your /wp-admin. Log into your account with the wrong password. It’ll tell you “The password you entered for the username (USERNAME) is incorrect”. Now put a wrong username: “Invalid username”. Looks like your site is vulnerable too. Sorry!
Here’s the truth, it’s like that all across many websites. Anyone trying to brute force you will need a lot of patience as it will take days, possibly weeks to hack you. How about this, get a random password and be secure.
- JayShockblast
  @AngryFacing um, I mean, pardon me for pointing out the Captain Obvious statement of the day, but I’d say there is a bit of a difference between someone being able to brute force their way into a random site on the internet and say… I don’t know, the accounts of one of the biggest entertainment providers in the world that, oh by the way, just so happens to store and present access to their customers financial accounts and establishments.
  I mean, I totally agree with you. I’ll bet someone brute forcing their way into Analog Hype would give a few good dudes some headaches for a day or two… but um… you know… not even on the same stratosphere.
  I’d say the overall point is… when you’re responsible for information the way that Microsoft has made themselves responsible… you kind of need to step your game up a bit…
  But I mean… that may be a little too Captain Obvious for common folk…
Pingback: Microsoft May Be Covering Up Its Alleged Security Breach
Pingback: Hacked Xbox Live player spots Microsoft security flaw
Pingback: Xbox.com Password Flaw May Be Behind Hacked Accounts | 360 Games
Pingback: Security Compromised on Xbox360 | Too High Homie
CharliKun
@visioneyesee I heard about it but I dont own an xbox so I dont really have anything to say about it really.
Pingback: Xbox.com Security Toughens Up Not Enough To Stop Hackers - AnalogHype
Pingback: 8 Microsoft Hype Sites | MK Computing
Pingback: Xbox Live Hackers Target Pro Gamers - AnalogHype
Pingback: Director Of Xbox Live Policy and Enforcement Steps Down - AnalogHype
Pingback: WTF I Got Suspended From Xbox Live - SLUniverse Forums
Pingback: Xbox Live Hackers? « Platinum Hits
Pingback: Hacker diz: o 'culpado' das invasões de contas da Live é o site Xbox.com | Kotaku Brasil
Pingback: Hacker diz: o 'culpado' das invasões de contas da Live é o site Xbox.com | Kotaku Brasil
Pingback: Xbox Live Hacks: It IS a Problem | WildBlueYoshi – It Flies!
Paulduz1
I been hacked on x360 my email address login in was stole to i lost everything on my xbox couldnt sign in due to the hacker change in my password and msn block my email they said it was spamming hundreds of emails i rang xbox live shut down the account lost everything as i am now on a new account my account was 4 years old i warned my friends that i been hacked and becarefull i open no mails i have no virus my password was well hard and still the got in my account am not happy at all i beleave xbox live has been hack into i lost my account 12/4/2012
Paulduz1
I think the id thing would be a good idea if i get hacked again on xbox live am packing in
Pingback: Xbox Live Hackers? | Platinum Hits
Pingback: Windows Live may be a vulnerability for Xbox Live users | Attack of the Fanboy

Xbox Live Vulnerability Exposed! Microsoft Ignored The Truth

Subscribe to AnalogHype