Microsoft has quietly updated the Windows Live ID login system, which was most likely in response to a security concern that surfaced last week. The new procedure seeks to eliminate the risk of brute force attacks launching against Live ID logins, which could provide a method for hackers to gain unauthorized access to accounts.
Last week Jason Coutee, an IT consultant, exposed a brute force hack that could allow hackers to access Windows Live ID accounts and all linked materials such as Xbox Live account information. The security flaw allowed hackers unlimited attempts at guessing the password for a Windows Live ID. In addition, the error codes Microsoft used on their site allowed hackers to determine whether a Live ID was real before they tried to brute force the password.
Now it seems that Microsoft has altered their rules. Coutee wrote to Joystiq saying, "Before it would just let you try over and over. But now ... they handle the sign in request on the server in a way that it will stop replying after about 20 attempts."
Coutee continues, "Good news is that at least they lengthened the time it would take to brute force Live IDs."
Microsoft noted to Joystiq that this exploit wasn’t really a loophole at Xbox.com but rather an “industry-wide issue.” I’m inclined to disagree. Most websites will only indicate that the login information is correct not whether or not the login name is valid. In addition, 20 attempts is a pretty large number. Many websites will lock you out and force you to verify email or some other method to recover the password within 5-10 attempts, sometimes much less.
