Myce.com Latest Updates

Hacked Xbox Live member says brute force attacks are possible

Posted at 14 January 2012 00:33 CEST by Justin_Massoud

A slew of recent Xbox Live hackings might share a common theme, says a network infrastructure manager. Jason Coutee, who unceremoniously had his online account broken into and $100 worth of Microsoft Points pilfered, believes he’s found a possible culprit: Microsoft’s own Xbox Live web portal.

Speaking to the blog AnalogHype, Coutee claims Xbox.com suffers from several security flaws, which make users’ passwords susceptible to brute force-style attacks.

The hacking victim learned through testing that entering an invalid Windows Live ID into the site’s sign-in screen, along with a similarly wrong password, brings up the error message “That Windows Live ID doesn’t exist. Enter a different ID or get a new one.”

A valid Windows Live ID paired with an incorrect password, however, displays the following message: “The email address or password is incorrect. Please try again.” That’s Yahtzee for hackers.

From there, they can run a script to discern the proper password, says Coutee. Circumventing the site’s built-in CAPTCHA system, which automatically pops up after eight failed sign-in attempts, is also easy. Cyber crooks need only click the “try with another Live ID” option to reset the counter to zero.

Windows Live IDs can potentially be culled from a quick Google search of active Xbox Live Gamertags, which may then lead to accompanying email addresses at social networking sites.

It’s unclear if this method was employed last October when hackers stole Xbox Live accounts to buy content for Electronic Arts’ soccer title, FIFA 2012. Several victims shared their horror stories online, including blogger Michael Kurz, whose simple request for more information regarding his stolen account was shot down by Microsoft Customer Service.

Microsoft has yet to respond to this latest round of speculation. (via AnalogHype)

Click for more news

game consolespiracy

Click to share

There are 2 comments

Zod
MyCE Resident
Posted on: 15 Jan 12 17:51
    Couldn't brute force attacks be easily resolved? Lock out access to the account after 3 unsuccessful tries and send an info email to the email address of the gamertag account?
    Mr. Belvedere
    MyCE Resident
    Posted on: 16 Jan 12 10:10
      The problem is this:

      Quote:
      Cyber crooks need only click the “try with another Live ID” option to reset the counter to zero.
      .

      They can of course built in ip checking amongst other stuff like timers for the same account.

      Post your comment

      You need to register before you can comment

      Like us

      Most popular headlines

      TuneIn radio app update disappoints many users - requires social login

      The popular mobile radio app TuneIn receives a lot of negative comments after th...

      Xbox One owners complain about "horrible noise" coming from console

      Xbox One owners complain about noise coming out of their game console. The issue...

      TDMore releases free DVD Copy software - claims faster than others

      TDMore today announced the availability of "Free DVD Copy" which allow...

      Leaked Windows 9 screenshots clearly show new Start menu and more

      Several German websites have been provided with new screenshots of Windows 9. Th...

      Kingston HyperX 3.0 64GB USB3 Flash drive review - Speed, build quality and great looks

      • Mon 15 Sep 01:09 by Vroom

      Review: Kingston DT HyperX 3.0 64GB Reviewed by: Antonis Sapanidis P...

      See all headlines

      Community Activities

      Follow Myce.com