Xbox Live Vulnerability Exposed! Microsoft Ignored The Truth

most viewed right now
 123
NBA Chicago Bull Pg Rajon Rondo suspended 1 game by team
42 comments
@sports
most viewed right now
 115
Image(s) inside Unmarried pastor gets knocked up: DesireÉ allen is neither sorry nor ..
20 comments
@wild'ish
most viewed right now
 100
Image(s) inside Dec 5 - Hell of South Korean dog meat farms exposed
44 comments
@news
most viewed right now
 63
Video inside Breaking News Tiny Puts T.I. On Blast She's Confesses Cheating With Flo..
107 comments
@hiphop

section   (0 bx goons and 1 bystanders) Share this on Twitter   Share this on Facebook
 

Props Slaps
 5 years ago '11        #1
7234 pageviews
173 comments


Jesszman 2207 heat pts2207
space
space
space
$29,848 | Props total: 143 143
Xbox Live Vulnerability Exposed! Microsoft Ignored The Truth
 

 

[pic - click to view]



From what started as a supposed Fifa 12 hack, turns out to be more then that. Xbox Live has a serious security flaw and Microsoft ignored it for way to long. We have uncovered how easy it is for hackers or anybody with some free time to hack your Xbox Live account.

I spoke with Jason Coutee, a network infrastructure manager who had his Xbox Live account hacked. 8000 Microsoft points were purchased on his account, so he did what anyone of us would do and call Xbox support. A transaction for Xbox Live Family Pack was in the middle of being processed and he was able to cancel it before it went through. Unfortunately Xbox couldnt refund him for the 8000 Microsoft points but offered to freeze his account for 30 days to investigate. Jason declined to the investigation so that he can do his own investigation. For the next couple of weeks Jason went searching for vulnerabilities that may have caused the hack. He then found Xbox 360′s Achilles heel, Xbox.com

The first step was to gather the Windows Live IDs of gamertags. So after a round of Halo Reach, he gathered a list of gamertags and enter them individually on Google. Thanks to Facebook, Twitter, or any other links that have their email advertised, hackers now have a potential list of Windows Live IDs. Now the hackers check to see if the email is a valid Windows Live ID. To do this, hackers headed to Xbox.com Typing in the email and a random password like blah.

If the hacker got the error message account is invalid they move on to another email.


[pic - click to view]




When the hacker comes across the error message password is wrong then that account is in trouble.



[pic - click to view]



Now with a simple script, hackers can brute force their way into your Xbox Live account. The script would batch run a list of potential password, which anybody can find online with a simple Google search. The script will attempt to enter these potential passwords until it gets in. Xbox allows you to enter your password incorrectly 8 times on the website, then it asks for a CAPTCHA code. When hackers get to that CAPTCHA code, there is a link for try with another Live ID. Clicking this link resets the CAPTCHA code and hackers can continue to force their way in 8 more times before they need to click the link again. This process can easily be automated by a skilled hacker. Once a hacker is in your account, nothing is safe. Hackers will take your credit card info, Netflix, Hulu Plus, the works.

So what are hackers going to do with your hacked account? Most likely purchase games and Microsoft points, change your gamertag and the email a.ssociated with then sell it online. For extra kicks they might also purchase a Xbox Family pack to add 3 more gamertags to their arsenal. Hackers are known to do this several times a day. Making several hundred dollars a day off of Microsofts laziness and your money.

Jason Coutee attempted to call Microsoft to report his findings and Microsoft Headquarters gave him the run around. Instructed him to email helpnow@microsoft.com He also tried calling 1-800-4-MY-XBOX where he spoke with a supervisor. The supervisor instructed him to take it to the Xbox.com forums. His latest attempt was with the Piracy and Phishing department at Microsoft who wouldnt help him with anything Xbox related. Everybody at Microsoft refused to acknowledge the issue and because of that, gamertags are still being hacked. Microsoft can easily fix this issue by sending an email to people when there are more than X amount of failed login attempts and by by storing session ids.



Thanks to Jason Coutee and Jesszman


[pic - click to view]

 Xbox Live Vulneribility Exposed! Microsoft Ignored The Truth - AnalogHype

173 comments for "Xbox Live Vulnerability Exposed! Microsoft Ignored The Truth"

 5 years ago '04        #2
DJKromeX 39 heat pts39
space
avatar space
space
$1,302 | Props total: 0 0
Shout outs to Jesszman
 5 years ago '11        #3
Jesszman 2207 heat pts2207
space
space
space
$29,848 | Props total: 143 143
Thanks Krome, glad I could help!
 01-12-2012, 10:39 PM         #4
SmooveDude 
space
space
space
$n/a | Props total:  
thats sucks for people who like twitter and facebook

but since i dont do the whole social networking thing im good to go
 5 years ago '11        #5
dom 30 heat pts30
space
space
space
$8,350 | Props total: 204 204
So once again Microsoft could have prevented some really bad sh*t from happening and didnt. Microsoft makes money off this sh*t. I cant wait to read what DJ, flawless image and the rest of Xbox's cronies say about this sh*t.

Hey wait they havent responded yet. Lets really pay attention to the first thing they mention. I bet yall they gonna do 1 or 2 things- Attack Jezzsman for posting this thread or bring up issues with Sony. There's NOTHING IN THIS ARTICLE ABOUT SONY. THIS HAS NOTHING TO DO WITH SONY. There going to be the one's to bring Sony into this. Watch and see. There going to defend Microsoft for having bush league a.ss security. peep game
 5 years ago '11        #6
Jesszman 2207 heat pts2207
space
space
space
$29,848 | Props total: 143 143
umm, DCM, technically you just brought up sony lol.
 5 years ago '11        #7
dom 30 heat pts30
space
space
space
$8,350 | Props total: 204 204
 Jesszman said:
umm, DCM, technically you just brought up sony lol.
Yeah I know but I didnt compare the 2 companies or say Sony was the answer. This is still about Microsoft Security problems
 5 years ago '11        #8
Jesszman 2207 heat pts2207
space
space
space
$29,848 | Props total: 143 143
Yeah, i feel you.
 5 years ago '05        #9
Krazie 125 heat pts125
space
avatar space
space
$41,332 | Props total: 8792 8792
Social engineering isn't a new thing, but that's pretty lacking on Microsoft's part if they don't lock attempts after so many tries, even with a capture image.
 5 years ago '11        #10
Jesszman 2207 heat pts2207
space
space
space
$29,848 | Props total: 143 143
 DJ Krayzie said:
Social engineering isn't a new thing, but that's pretty lacking on Microsoft's part if they don't lock attempts after so many tries, even with a capture image.
 5 years ago '05        #11
Krazie 125 heat pts125
space
avatar space
space
$41,332 | Props total: 8792 8792
 Jesszman said:
What?
 5 years ago '11        #12
Jesszman 2207 heat pts2207
space
space
space
$29,848 | Props total: 143 143
idk lol. have you played asura's wrath?
 5 years ago '05        #13
Krazie 125 heat pts125
space
avatar space
space
$41,332 | Props total: 8792 8792
 Jesszman said:
idk lol. have you played asura's wrath?
Not yet.. I'm kinda psyched to try it though. I don't usually mess with demos, so I'll just Gamefly it when I get the chance.
 5 years ago '11        #14
dom 30 heat pts30
space
space
space
$8,350 | Props total: 204 204
Asura's Wrath, the demo didnt do it for me. He look corney wit 6 arm's to me
 5 years ago '11        #15
One Gud Cide 25 heat pts25
space
space
space
$9,454 | Props total: 3 3
This isn't Microsofts problem at all. You can do this on literally every single site/form/etc that has a username and pass. All they're doing is trying to guess your password.

Now with a simple script, hackers can brute force their way into your Xbox Live account. The script would batch run a list of potential password, which anybody can find online with a simple Google search. The script will attempt to enter these potential passwords until it gets in.
If you're still stupid enough to use passwords like "12345" "password" etc, then basically you deserve to have your account stolen.

People think "oh it says mix upper/lowercase letters, mix in numbers, and don't use words" it's just written there for no reason.
 5 years ago '11        #16
Jesszman 2207 heat pts2207
space
space
space
$29,848 | Props total: 143 143
Son, the second level of the demo was amazing.
 5 years ago '07        #17
I bleed GREEN 28 heat pts28
space
avatar space
space
$17,697 | Props total: 5869 5869
 DominationCM said:
So once again Microsoft could have prevented some really bad sh*t from happening and didnt. Microsoft makes money off this sh*t. I cant wait to read what DJ, flawless image and the rest of Xbox's cronies say about this sh*t.

Hey wait they havent responded yet. Lets really pay attention to the first thing they mention. I bet yall they gonna do 1 or 2 things- Attack Jezzsman for posting this thread or bring up issues with Sony. There's NOTHING IN THIS ARTICLE ABOUT SONY. THIS HAS NOTHING TO DO WITH SONY. There going to be the one's to bring Sony into this. Watch and see. There going to defend Microsoft for having bush league a.ss security. peep game
yeah i hadnt responded yet,damn guess i shouldve got on here on my phone to check for new threads about xbox security while i was out. funny for calling me out though cause really im not an xbox cronie i just like calling sony fanboys out,when i see a spade i call it a spade whether or not they try to act like they arent undercover fanboys.

and this doesnt surprise me at all people do this on all kinds of websites
 5 years ago '05        #18
Krazie 125 heat pts125
space
avatar space
space
$41,332 | Props total: 8792 8792
 One Gud Cide said:
This isn't Microsofts problem at all. You can do this on literally every single site/form/etc that has a username and pass. All they're doing is trying to guess your password.



If you're still stupid enough to use passwords like "12345" "password" etc, then basically you deserve to have your account stolen.

People think "oh it says mix upper/lowercase letters, mix in numbers, and don't use words" it's just written there for no reason.
Yeah, it's a flaw, but it truly is the user's fault even more so. This is why I use a completely unique LIVE ID than I use for anything else anymore.
 5 years ago '06        #19
coolio 57 heat pts57
space
avatar space
space
$18,376 | Props total: 9 9

[pic - click to view]

 5 years ago '11        #20
dom 30 heat pts30
space
space
space
$8,350 | Props total: 204 204
 Flawless Image said:
yeah i hadnt responded yet,damn guess i shouldve got on here on my phone to check for new threads about xbox security while i was out. funny for calling me out though cause really im not an xbox cronie i just like calling sony fanboys out,when i see a spade i call it a spade whether or not they try to act like they arent undercover fanboys.

and this doesnt surprise me at all people do this on all kinds of websites
I knew I was going to get your attention not by mentioning your name but by capitalizing SONY. But on a real note it dont matter if its SONY or Microsoft getting your sh*t jacked by a bi*ch a.ss hacker isnt funny at all
Home      
  
 

 






most viewed right now
 57
Video inside Middle School Student in China Proposes to His Teacher, Gets Mercilessl..
34 comments
21 hours ago
@wild'ish
most viewed right now
 50
Video inside The Rothschild Conspiracy explained in 4 minutes
93 comments
1 day ago
@wild'ish
most viewed right now
 36
Image(s) inside Plano High School Curriculum: Beer Pong & Algebra Teacher Puzzy
94 comments
2 days ago
@wild'ish
most viewed right now
 34
Video inside Pusha T Is A B*ITCH & He's Scared Of Drake
51 comments
2 days ago
@hiphop
most viewed right now
 27
Image(s) inside University of Deleware
52 comments
21 hours ago
@thotsdimesetc
most viewed right now
 14
Image(s) inside When ya upstairs neighbors more petty than you
81 comments
21 hours ago
@wild'ish
most viewed right now
 14
Video inside DJ Envy talks about the difference between Diddy and 50 Cent (Drink Cha..
42 comments
21 hours ago
@hiphop
most viewed right now
 11
Video inside Last Tango in Paris Rape Scene Was Not Consensual, Director Bernardo ..
102 comments
22 hours ago
@misc
back to top
register contact Follow BX @ Twitter Follow BX @ Facebook search BX privacy