By using this site, you agree to our Privacy Policy and our Terms of Use. Close

Forums - Microsoft - Windows Live login suggested as Xbox Live security flaw

Joystiq

Since reporting on the "FIFA hack" and related security concerns with Xbox Live and the Windows Live ID system, we've received stories, documentation and theories on how this is happening from dozens of victims. As we continue to follow up on several leads,Analoghype posits an interesting theory on how some of these breaches may be occurring.

AH suspects that the hackers grab gamertags from a game of Halo or Call of Duty, then Google the tags to find associated emails on social networking sites. They now have a potential list of Windows Live IDs. Going to Xbox.com, the hacker can now test if the email is a valid ID by attempting to sign in. An error message of "account is invalid" has them moving on to another email; "password is incorrect" means they've got a real account, but a bad password.

Now, according to the theory, the hackers start batch running potential passwords: "Xbox allows you to enter your password incorrectly 8 times on the website, then it asks for a CAPTCHA code. When hackers get to that CAPTCHA code, there is a link for "try with another Live ID." Clicking this link resets the CAPTCHA code and hackers can continue to force their way in 8 more times before they need to click the link again. This process can easily be automated by a skilled hacker."

Of course, once they are in, the hacker has access to all your account details and associated credit cards, PayPal and Microsoft Points.

Mircrosoft told us recently that the Windows Live ID has not been compromised and the FIFA hack, along with other similar incidents, are cases of social engineering or phishing. We continue to recommend changing -- and not publicly posting -- account details.


Around the Network

OK! Who are you and what have you done to the real Nsanity??



“It appeared that there had even been demonstrations to thank Big Brother for raising the chocolate ration to twenty grams a week. And only yesterday, he reflected, it had been announced that the ration was to be reduced to twenty grams a week. Was it possible that they could swallow that, after only twenty-four hours? Yes, they swallowed it.”

- George Orwell, ‘1984’

^^^Lol, post

BTW. Why is is only isolated to Fifa 12?

Very, very suspicious.



Yay!!!

IGN

UPDATE: Microsoft has addressed concerns surrounding an alleged Xbox.com hacking trick as reported here at IGN. The official line is as follows: 

"Microsoft can confirm that there has been no breach to the security of our Xbox Live service. The online safety of Xbox LIVE members remains of the utmost importance, which is why we consistently take measures to protect Xbox LIVE against ever-changing threats. Security in the technology industry is an ongoing process, and with each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it. We continue to evolve our security features and processes to ensure Xbox LIVE customers information is secure. Online fraud and identity theft are industry-wide problems, and as such people using any online services should set strong passwords, not share those passwords across multiple services and refrain from sharing any personal details that could leave them vulnerable. As always, we highly recommend our members follow the Xbox LIVE Account Security guidance provided athttp://xbox.com/securityto protect your account." 

Microsoft also specifically states, "This is not a 'loophole' in Xbox.com. The hacking technique outlined is an example of brute force attacks and is an industry-wide issue." In addition, it reiterated that account compromises are often a result of phishing scams and malware used to snatch your password. 

http://ie.xboxlive.ign.com/articles/121/1216502p1.html