Is an Xbox.com Security Flaw Behind Recent XBLA Account Hacks?

Recent XBLA account hacks may be due to a security flaw in xbox.com, claims an network infrastructure manager who had his own account hacked and decided to do some investigating of his own.

Jason Coutee had his account hacked and 8000 Microsoft Points purchased with his credit card. After contacting Microsoft he was told they could not reimburse him for the lost cash and it would take them 30 days, after locking down his account, to investigate. Not wanting to wait this long he decided to investigate himself and what he found was that xbox.com allows for an indefinite number of login attempts to be made, only prompting the user to enter in a  Captcha code after 8 failed attempts. When the code is entered, the clock starts again, allowing hackers with the ability to circumvent the CAPTCHA code to run password-generating scripts and break into the accounts using a trial and error, brute force approach.

Using this method, hackers are able to play games online, write down gamertags and then try to match them with email addresses online.  Xbox.com would then verify for the hacker if the account was valid, and they would be able to script away at their hearts content until they were able to break in.

Coutee has attempted to notify Microsoft of his findings but says that he was ignored by most Microsoft departments he talked to, and was shuffled from one department to the next with some simply telling him to email helpnow@microsoft.com. Even the Piracy and Phishing department at Microsoft wouldn't help him with anything Xbox related.

Microsoft has yet to comment on his findings or to confirm if this is the actual source of the hackings. And it may just be that Coutee stumbled upon a different method in his search for his own nemesis. In any case, let's hope Microsoft does something about this quickly.

[Source EDGE, Analog Hype]