Xbox Bug That Could Have Leaked Actual User Email IDs Through Gamer Tag Patched by Microsoft: Report


Microsoft has reportedly patched a bug in an Xbox web site that would have doubtlessly uncovered customers’ actual electronic mail addresses related to their Xbox gamer tags. This vulnerability was reported to the corporate by way of its bug bounty programme and has since been mounted. The findings for the bug that was reportedly discovered on had been shared with a web based publication earlier this week. The report explains that an Xbox person ID (XUID) subject was unencrypted on

According to a report by ZDNet, the bug in was noticed by Joseph “Doc” Harris and a staff of safety researchers. The web site,, permits Xbox customers to view strikes in opposition to their profile, in addition to file appeals if in case they really feel the strike is unfair. It was discovered that after a person logs in to the web site, it creates a cookie file with particulars of the net session of their browser. This cookie file included an unencrypted Xbox person ID (XUID) subject.

Harris was in a position to make use of customary browser instruments to edit the XUID subject and substitute it with the XUID of a take a look at account he had created for the Xbox bug bounty programme. Once he changed the worth and refreshed the web page, emails of different customers had been seen. Check out the video by Harris detailing the identical.

It was famous that different subdomains weren’t affected by this bug. The report states that Microsoft patched this bug final month and encrypted the XUID. It was a server-side repair and a Microsoft spokesperson informed ZDNet that customers don’t must do something. Additionally, whereas the bug was not lined below the corporate’s bug bounty programme, it featured Harris as a contributor in its Bug Bounty Hall of Fame. However, there was no financial reward.

The bug had the potential to leak precise electronic mail IDs to hackers which may then be used for malicious functions. What’s alarming is that no particular instrument was required to get entry to different person’s electronic mail ID.

Which is the very best TV below Rs. 25,000? We mentioned this on Orbital, our weekly know-how podcast, which you’ll subscribe to by way of Apple Podcasts, Google Podcasts, or RSS, download the episode, or simply hit the play button beneath.


Affiliate hyperlinks could also be routinely generated – see our ethics assertion for particulars.




Leave a comment