Windows Live may be a vulnerability for Xbox Live users

Are hackers exploiting a vulnerability in Windows Live to buy Microsoft Points on Xbox Live illegally?

In continuation with the ongoing investigation regarding suspicious activity on the accounts of Xbox Live users, some gamers are taking matters into their own hands. Jason Coutee, a network infrastructure manager who had his Xbox Live account hacked decided to look into the issue himself after Xbox Live customer service failed to be of much help.

After Coutee had realized that his credit card had been charged with a purchase of 8000 Microsoft Points, he called the Xbox Live support desk only to find out that another transaction for an Xbox Live Family Pack was in the middle of being processed. Coutee canceled the purchase and customer service offered him the standard 30 day account freeze in order to investigate.

Coutee researched potential account vulnerabilities and came away with a possible link to Microsoft’s Windows Live ID system. Hackers can feasibly gather a list of gamertags from any Xbox Live multiplayer game and enter each one on Google. Certain social networking sites may turn up in the search with a valid e-mail address attached to that gamertag. The hackers would then check that e-mail on the Windows Live login page. If the hacker gets the error message, “account is invalid”, the user may have updated their information. However if the error message, “password is wrong” comes up, the hacker has found a valid ID and simply needs to figure out the password.

The article at Analog Hype mentions how these hackers would then go about getting into the account by running a script program which would attempt to detect several passwords and try logging in with them.

“Now with a simple script, hackers can brute force their way into your Xbox Live account. The script would batch run a list of potential password, which anybody can find online with a simple Google search. The script will attempt to enter these potential passwords until it gets in. Xbox allows you to enter your password incorrectly 8 times on the website, then it asks for a CAPTCHA code. When hackers get to that CAPTCHA code, there is a link for “try with another Live ID”. Clicking this link resets the CAPTCHA code and hackers can continue to force their way in 8 more times before they need to click the link again. This process can easily be automated by a skilled hacker.”

Once they’re in the account, they have access to all of your account details and credit cards that may be associated with it. The article offers a valid point in how Microsoft can prevent, or at the very least assist Xbox Live users in keeping their account safe - contacting the owner of the account via e-mail after there have been more than “X” amount of failed login attempts.

It’s become an all-too cliché piece of advice, but it is worth reiterating over and over: do not keep your login information consistent across all of your various internet accounts. It’s definitely a pain in the ass, yet taking that extra step may ensure that you do not have to go through an ordeal like Coutee’s and countless others who have had similar experiences.

By Ethan Powers on January 13, 2012

Did you this story? Please share it with your friends

Cool dude

“do not keep your login information consistent across all of your various internet accounts”

Ohh crap…
IHATETROLLS (WHO DOESN’T)

that is pretty easy hacking
- Cool dude
  
  I think the solution is pretty easy here… Fully randomize the CAPTCHA code so even though the hacker can reset it. It would come up with a different code.
  
  I meah.. Hacking with Brute force? And coming out successful? Wow, thats weak security.
- That Guy
  
  @cool dude. its not that theyre resetting the capcha. when you get to the capcha theres an option to try with another account which basically just reloads the page and lets the try 8 times again.. go try it and youll see what i mean. the best solution would to be to remove the option and bar them from trying to login for an incrementing amount of time.much like ipods do when you enter the wrong password.
Original Source

See the thing is that brute force is very old. MS makes it sound like its something blizzard and google and just about any other community website hasn’t put up defenses for. As the guy states you can pretty much batch script the process of loading that try another id link and use key press generators for the rest and go watch the game or eat pizza. Since all you need is a browser you can have multiple scripts running at the same time in multiple IE windows. I mean when there is no temporary lockout timer this doesn’t take very long. http://howsecureismypassword.net/
- That Guy
  
  106 years… do i win? :P
njb

Then they should have a something else instead of a Email or ur own LIVE ID to sign in. But u keep that to urself and only ur Gamer ID is Public.

Simple answer is dont save Card Details, Manually enter them with any purchase, I know its effort but at least you know your safe.
- Norbiej
  
  yeah that won’t work….microsoft has this great system that you need to add the creditcard and if you want to delete it you must first call microsoft (!) to do this….
- AKA Zzz
  
  Wrong. I’m looking at the screen right now.
counter troll ops

of this im sure, sick of seeing all this hacking shit
Nig

Bet they’re gonna make you pay for better security and the xbots will gladly bend down for their master again.
- That Guy
  
  did you forget psn also got hacked on a MUCH larger scale?
njb

thats 1 reason i will not get any ms console, customer support is just terrible
Wipeout

At least psn isn’t getting hacked on a consistent basic
- Cool dude
  
  Xbox Live was never hacked.. Soo whats your point?
- Allen
  
  Yeah…if you keep denying it then maybe someday that will be true. Xbox live has been hacked..quit fooling your self.
- Cool dude
  
  Whe..When?
Hoppsy

Lol why do you pay for online again?
X

I actually hope psn goes down again, i want 2 more FREE games, :D what did ms give u xbots when banbox live went down?! and why did they raise the price for no reason like a yr ago?! haha so sad how u are so blind
Tbone

What is this, the 5th or 6th year Sony Corp has lost billions? When Sony can’t afford development of the ps4 and additional features for psn, you’ll be wishing you pitched in a couple bucks a month to support your company.

Good article though, both ms and the users need to step it up to prevent hackers.
Raven

Ha, you’d give up your personal info and online gaming for a month for a couple of games that go for around $10 each used, ridiculous
Wipeout

Xbox live gets hacked cause Microsoft is slow at fixing flaws or just don’t care…hmmm where the money people pay for “live” going to then…. and xbots are even slower for signing their accounts on third party sites
Brian

That money is probably going to all these new apps that psn does not have, plus I’d take MS security that has only failed for a small percentage of users compared to Sonys that failed for a 100% of users for over 30 days.

But MS did have a couple spordiac outages 3 years ago that effected a small percentage of people. That was due too some huge game releases blowing up the amount of people playing online.

Luckily psn will probably never run in any issues with too many people playing a Sony exclusive online at once. 500k in resistance 3 sales, fail, buy some exclusives people, bragging about them won’t keep Sony running.
Abdul Mannan

fareed-a@hotmail.com