A recently-fixed vulnerability could have exposed a player’s Xbox Live email to hackers through their Gamertag, potentially compromising the online service used for Xbox One and Xbox Series X|S multiplayer gameplay and social features.
Xbox Live has been around for nearly twenty years, beginning with the original Xbox console. The service has seen changes over the years such as the ways a player can create a Gamertag and its eventual inclusion as part of Xbox Game Pass Ultimate. It has since been discovered that a security vulnerability could have exposed a player’s email to hackers without too much effort.
Why the Xbox Live e-mail vulnerability is a problem for players
The Xbox Live email vulnerability was reported to Vice via two ethical hackers who had wanted to alert Microsoft about the issue. That anonymous hacker asked Vice not to publish anything until Microsoft had confirmed the issue was fixed for one simple reason: it wasn’t too difficult to discover the vulnerability.
“If you publish the article before it’s patched it will get found within 2-3 minutes,” one of the hackers told Vice. “It’s the easiest vulnerability I’ve ever found.”
According to the hacker, the email addresses were accessed via the Xbox Live Enforcement website. The technical issue allowed anyone with the proper knowledge to discover the email address behind any Gamertag within a few minutes. Vice’s own testing showed that the technique worked, although Microsoft has since deployed a fix to correct the problem.
This isn’t the first time this year a player’s personal information wasn’t adequately protected, either — it was recently discovered that a Genshin Impact issue could have exposed the phone numbers of some players. Thankfully, this particular issue was also quickly resolved by Genshin Impact’s developer Mihoyo.
The exposure of a player’s Xbox Live email address on its own wouldn’t result in an account being compromised, but it could have led to online harassment — or more worryingly, phishing attacks. For example, fake Cyberpunk 2077 beta invites went out earlier this year, presumably in an attempt to steal players’ personal information. Nobody knows for certain how long this vulnerability existed in Microsoft’s systems, so players using Xbox Live should pay extra special attention to any emails purporting to be from Microsoft in the future.
