Microsoft has fixed a bug on the Xbox website that allowed hackers to associate an Xbox player's username with a user's actual email address.
Thanks to the recently launched Xbox Vulnerability Discovery program, Microsoft has caught this bug.
(Joseph Harris) was one of several security researchers who reported this issue to Microsoft earlier this year. He published his results earlier this week on the technology site ZDNet.
The security researcher said: The vulnerability was found on enforcement.xbox.com. This is the online portal site where (Xbox) users can display warnings about their personal files when needed. (X) If you find that you must be unaware of your behavior on the Internet, please appeal. Wrote.
After users log in to the website, the Xbox Law Enforcement website creates a cookie in their web browser that contains detailed information about their web session. So that you don't have to check the entries again when you visit the site in the future.
Harris said: Website cookies contain an unencrypted form of a user's personal identifier (XUID) called XUID. Using simple tools, even modern web browsers, Harris can customize the XUID field and replace it with a different name.
"I tried to override the cookie value and thanks to the update I suddenly found that I could see the user's other email addresses," Harris said in an interview with ZDNet. Microsoft released an update for this bug last month. Harris said: The fix for XUID encryption.
A Microsoft spokesperson told ZDNet: The patch will only be released on the server side, so users don't have to take any other steps to stay safe.
Harris said, (Xbox) other areas of the platform won't have the same problem.
A Microsoft Security Response Center security analyst tested the vulnerability report. He said the vulnerabilities were not being rewarded, but the company accepted the Vulnerability Bounty Program of Fame with Harris as a shareholder.