Recent XBLA account hacks may be due to a security flaw in xbox.com, claims an network infrastructure manager who had his own account hacked and decided to do some investigating of his own.

Jason Coutee had his account hacked and 8000 Microsoft Points purchased with his credit card. After contacting Microsoft he was told they could not reimburse him for the lost cash and it would take them 30 days, after locking down his account, to investigate. Not wanting to wait this long he decided to investigate himself and what he found was that xbox.com allows for an indefinite number of login attempts to be made, only prompting the user to enter in a  Captcha code after 8 failed attempts. When the code is entered, the clock starts again, allowing hackers with the ability to circumvent the CAPTCHA code to run password-generating scripts and break into the accounts using a trial and error, brute force approach.

Using this method, hackers are able to play games online, write down gamertags and then try to match them with email addresses online.  Xbox.com would then verify for the hacker if the account was valid, and they would be able to script away at their hearts content until they were able to break in.

Coutee has attempted to notify Microsoft of his findings but says that he was ignored by most Microsoft departments he talked to, and was shuffled from one department to the next with some simply telling him to email helpnow@microsoft.com. Even the Piracy and Phishing department at Microsoft wouldn't help him with anything Xbox related.

Microsoft has yet to comment on his findings or to confirm if this is the actual source of the hackings. And it may just be that Coutee stumbled upon a different method in his search for his own nemesis. In any case, let's hope Microsoft does something about this quickly.

[Source EDGE, Analog Hype]

Comments

  • Avatar
    Harleycosmo
    12 years, 2 months ago

    Well at least microsoft are as willing to take advice as they are to give it.

  • Avatar
    drake and his fortune
    12 years, 2 months ago

    Xbox.com is a piece of shit, I can see how easy it would be to hack someone.

  • Avatar
    lemith
    12 years, 2 months ago

    Wow.

  • Avatar
    scythemouseq
    12 years, 2 months ago

    Not only that, but where Paypal is concerned, it only asks for verification once when linking the account, then never again. I get asked for my Paypal password every time I purchase something on Steam, so Microsoft could take a page from their book.

  • Avatar
    WingZero
    12 years, 2 months ago

    On an unrelated note....OMG, that xbox pillow is so full of WIN!

  • Avatar
    Trusis
    12 years, 2 months ago

    That's really crappy on Xbox's part, they should take all the help they can get. Bad business, Microsoft!

  • Avatar
    Comradebearjew
    12 years, 2 months ago

    Goddamn Microsoft sucks