News - Microsoft dismisses claims of Xbox Live hacking

[HEXUS]

Accounts have not breached says MS after claims to the contrary.

Read more.

[Ross1]

While it may not have been "hacked", it does have a serious security flaw and its frankly disgusting they arent doing anything about it.

Here is how the accounts are being broken into:

The first step was to gather the Windows Live ID’s of gamertags. So after a round of Halo Reach, he gathered a list of gamertags and enter them individually on Google. Thanks to Facebook, Twitter, or any other links that have their email advertised, hackers now have a potential list of Windows Live ID’s. Now the hackers check to see if the email is a valid Windows Live ID. To do this, hackers headed to Xbox.com Typing in the email and a random password like blah.

If the hacker got the error message “account is invalid” they move on to another email.



When the hacker comes across the error message “password is wrong” then that account is in trouble.



Now with a simple script, hackers can brute force their way into your Xbox Live account. The script would batch run a list of potential password, which anybody can find online with a simple Google search. The script will attempt to enter these potential passwords until it gets in. Xbox allows you to enter your password incorrectly 8 times on the website, then it asks for a CAPTCHA code. When hackers get to that CAPTCHA code, there is a link for “try with another Live ID”. Clicking this link resets the CAPTCHA code and hackers can continue to force their way in 8 more times before they need to click the link again. This process can easily be automated by a skilled hacker. Once a hacker is in your account, nothing is safe. Hackers will take your credit card info, Netflix, Hulu Plus, the works.

Credit to http://www.analoghype.com/video-game...red-the-truth/

[crossy]

While it may not have been "hacked", it does have a serious security flaw and its frankly disgusting they arent doing anything about it.

Here is how the accounts are being broken into: [snipped]

Many thanks for posting the explanation. Actually I was going to suggest that the argument between Jason Coutee and Microsoft could easily be settled - if JC can break in then XBL has been compromised, if not then maybe MS is correct.

Problem I've got with the attack as detailed is that surely, with the "requirement" to circumvent the Captcha input, the number of guesses that a scripted attack can perform is going to be throttled. Being worried about this I fed my XBL password into GRC's password haystacks evaluator and it's coming back with breakage times into ten's of centuries - and that's assuming that the script kiddie can generate a 1000 hits/second. And unless told otherwise, I'm going to assume that el hacker isn't going to be able to generate this kind of throughput.

So I think I'm not too concerned at the moment, but I'm a bit dismayed that MS don't appear to be taking it seriously - some statement that they've actually checked out the suggested attack method would go a long way to reassuring me. Oh, and some modification to XBL/Live so that it tracked the number of failed login attempts on an account and locked after a set number of consecutive failures - say 20 perhaps - with a successful login resetting this counter. Yes, I know this leaves folks open to a DoS attack against their accounts - we just can't win can we?

[abaxas]

MS need to know the difference between noticing and not.

Having not seen it, does not mean it has happened.

[BlauLicht]

i never hook up my card details to xbl as i buy codes online on a website much cheaper. and i dont really use the other services, got a pc hooked up to the pc, but yeah ms needs to secure it better, cause there are so many ways that ppl take ur windows id and because of xbl it has greatly been increased

[Hicks12]

but that is using brute force... brute force isnt a security 'issue' on MS end, its people failing to keep their ID secure, the whole point of an ID is for your login and then your user name is used for everything else... If they're finding your logins through your facebook/twitter accounts then you clearly dont try and keep your account secure and its your own fault!.

Brute force is a very basic method so im not sure why it mentions skilled hackers as it doesnt require any skill todo it in a reasonable time. However i will say this, Microsoft should be introducing tighter attempt methods, it should be 3 - 5 at most and then BLOCK logins for x amount of minutes as captchas aren't that effective anymore .

But again, MS are right in their statement, users should be using a decent length password with capitals, punctuation, numbers. Simple stuff that everyone should be educated in, it would help you in avoiding this alot!.

Looking at it though its similar to most systems, look at facebook you just merely login and failed attempts require captcha but thats it! Facebook is even worse when you think about it as alot of people have their email on their profile info so straight away theres the id...

[TheAnimus]

This is a bit of a non-news story surely? Capture is still cropping up 8 times or something per id?

The only bit of that tale that sounded bad was the idea they could get their credit card details, surely the server shouldn't spit those back out?

[[GSV]Trig]

Its not a security issue as such, personally I think MS should just respond by changing what the website does after the first round of captcha and block the account for an hour or so from that IP.

[TheAnimus]

Its not a security issue as such, personally I think MS should just respond by changing what the website does after the first round of captcha and block the account for an hour or so from that IP.

Even 10 min would do the trick.

Its the usual trade off, usability for security.

Having "I'm sorry dave, I can't authentificate that" doesn't help the muppets to realise they've a simple typo in their username.

It's still only going to be those using very week passwords who can be cracked, this is more a concern of how much information people un-whittingly give away on their myface/twit

[crossy]

This is a bit of a non-news story surely? Capture is still cropping up 8 times or something per id?

The only bit of that tale that sounded bad was the idea they could get their credit card details, surely the server shouldn't spit those back out?

If you check out the posting by Ross1, you'll see that (according to his source at least) that there's a way to circumvent the Captcha and continue to try another set of eight guesses.

But I'll wholeheartedly agree with that second statement - once you've entered credit card details there should be no way for you to see more than just a portion of them (e.g. first and last four digits of the card number, with the rest being blanked out)