This Might Be The Reason Behind The Xbox Live 'Hacks'

Ever since the first wave of "FIFA Hacks" surfaced last year, a lot of people have been complaining that their Xbox Live accounts had been "hacked". Microsoft has continually denied any such breach of security, but you know, there have been too many cases for too long now for this to be nothing.

So, uh, what's the cause behind the whole mess?

According to a report on Eurogamer, based on the testimony of a man who allegedly knows "how to hack into Xbox Live accounts", the culprit isn't Xbox Live itself, but Microsoft's Xbox.com website and, by extension, its Games for Windows Live service.

...point the finger at Xbox.com - the website. This allows eight password attempts at a Windows Live ID before CAPTCHA is triggered - the system that presents those squiggly words. A simple password-generating script can apparently be used to exploit this system before CAPTCHA kicks in.

The Windows Live IDs come from playing Xbox 360 games online. Gather Gamertags and Google search them in the hope you'll find related email addresses. Try these as Windows Live IDs and the Xbox.com website will let you know if they're valid - "the email address or password is incorrect" - or not - "That Windows Live ID doesn't exist."

Using these methods you can apparently brute force your way into a near-limitless supply of Xbox Live accounts and use their saved banking details to buy Microsoft Points.

If this is indeed the root cause — and remember, we don't know that it is — it certainly sounds about right. It always seemed too timely to be a simple case of lazy passwords on the part of users, but if it was a breach of Xbox Live itself, Microsoft would surely know about it. So a combination of the two sounds entirely plausible.

We're checking with Microsoft to see if they can comment, and will update if we hear back.

Is this the hack used to exploit Xbox Live accounts? [Eurogamer]


Comments

    "It always seemed too timely to be a simple case of lazy passwords on the part of users"

    If it gives 8 attempts before the captcha kicks in, and the system can guess those passwords in less than 8 attempts, then yes it is a simple case of lazy passwords.

      No, the thing is you can click on a link to try another ID, which resets the captcha. Then you can try with the same ID another 8 times.

      Simple script to automate it all and you could brute-force a list of common passwords fairly easily.

        "Simple script to automate it all and you could brute-force a list of common passwords fairly easily."

        Still a case of lazy passwords.

          Are you being serious? Ad has just said you can have infinate attempts at a password by reloading the page, but you still claim lazy passwords?

          Given enough time a brute force attack can crack any password, lazy passwords will just be cracked a lot sooner.

            Brute force also takes an eternity to achieve any meaningful results, and thats when running the attack locally on a machine.

            Remote brute force over something as slow (relatively) as the internet is basically useless, the person who owns the account your trying to take off with would be long dead by the time you got in.

              This pre supposes that their account has a strong password. You can flood an internet connection pretty effectively with requests, whether to perform a ddos attack the type of exploit that the person earlier was referring to. You need quite a few points of entropy and an effective Captcha to allow for the sort of time you are talking about.

    Hold on, so if my email address is not "McGarnical @ whatever.com" (and it isn't), I'm safe?

      And as long as your password isn't "aardvark"

    I feel sorry for Aaron. A. Aaronson

    So yeah this just happened to me yesterday and I've spent the better part of tonight on the phone with Xbox Support who have been quite nice about everything and it'll mean a while without Xbox Live Gold and hopefully by the end a refund of my stolen points.

    How did I notice - suddenly I had acheivements in FIFA12 a game that has never been near my console.

    What gets me is why FIFA??? How boring can criminals get

Join the discussion!

Trending Stories Right Now