A network infrastructure manager claims that lax security on the official Xbox website is behind the recent spate of Xbox Live account thefts.
Analog Hype reports that the security flaw was found by Jason Coutee, who had his own account stolen and 8,000 Microsoft Points purchased using his stored credit card details.
When he contacted Microsoft support to notify them he was told that the company would not be able to refund him for the 8000 MSP, but offered to lock his account down and investigate, which could take up to 30 days. He declined, opting to use his professional experience and investigate by himself. A couple of weeks later, he found a hole in Xbox.com security.
It appears that Xbox.com allows an indefinite number of password attempts, requiring only that a Captcha code be input after eight failed attempts. Input the correct Captcha and you get another eight attempts, meaning that by using a password-generating script a hacker can brute-force control of Xbox Live accounts without fear of the account being locked down as a precaution after too many failed attempts.
So, Coutee played a few rounds of Halo: Reach, noted down the Xbox Live gamertags of his opponents, and Googled them in the hope of finding related email addresses. Xbox.com was a help here, as it makes clear whether an email address has an associated Windows Live ID or not after a login attempt.
Coutee attempted to report his findings to Microsoft but claims he was given the runaround, with HQ giving him a support email address, a helpline pointing him to the Xbox.com forums, while Microsoft's piracy and phishing department simply declined to help at all.
We've verified that Coutee's claim about the eight-attempt system is correct, and have sought comment from Microsoft. Whether this is to blame for the recent spate of accounts thefts or not, it's troubling that so large a company, with so much experience in network solutions, is apparently content leaving its back gate on the latch like this.