wraggster
January 16th, 2012, 22:51
Microsoft (http://www.edge-online.com/company/microsoft) has strenuously denied claims that lax security on the Xbox.com website is to blame for the recent spate of Xbox Live account thefts.
"The online safety of Xbox Live members remains of the utmost importance, which is why we consistently take measures to protect Xbox Live against ever-changing threats," the company told us in a statement issued late on Friday. "Security in the technology industry is an ongoing process, and with each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it.
"We continue to evolve our security features and processes to ensure Xbox Live (http://www.edge-online.com/filter/all/tags/871) customers' information is secure … There is not a 'loophole' in Xbox.com. The hacking technique outlined is an example of brute-force attacks and is an industry-wide issue."
Last week, network infrastructure manager Jason Coutee discovered (http://www.edge-online.com/news/report-xboxcom-security-flaw-behind-live-account-hacks) that Xbox.com essentially allowed infinite login attempts, requiring that a Captcha code be input for every eight failed logins. That Captcha, however, could be bypassed by clicking a link to try signing in with a different Windows Live ID, which in fact allows users to attempt to log in with the same email address.
While Microsoft is correct in saying that brute-forcing is widespread, Coutee has told Eurogamer that the company has tightened security up behind the scenes.
"Shortly after the Microsoft response, the server over at Xbox.com started handling the brute force script differently," he said. "Before, it would just let you try over and over. But now it seems that, even though I'm still able to use the link to get past the Captcha, they handle the sign-in request on the server in a way that it will stop replying after 20 attempts.
"To me, this seems like they tightened security but didn't make any noticeable changes on the front end so they could discredit me. [The] good news is that at least they lengthened the time it would take to brute-force Live IDs."
http://www.edge-online.com/news/microsoft-there-no-xboxcom-security-loophole
"The online safety of Xbox Live members remains of the utmost importance, which is why we consistently take measures to protect Xbox Live against ever-changing threats," the company told us in a statement issued late on Friday. "Security in the technology industry is an ongoing process, and with each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it.
"We continue to evolve our security features and processes to ensure Xbox Live (http://www.edge-online.com/filter/all/tags/871) customers' information is secure … There is not a 'loophole' in Xbox.com. The hacking technique outlined is an example of brute-force attacks and is an industry-wide issue."
Last week, network infrastructure manager Jason Coutee discovered (http://www.edge-online.com/news/report-xboxcom-security-flaw-behind-live-account-hacks) that Xbox.com essentially allowed infinite login attempts, requiring that a Captcha code be input for every eight failed logins. That Captcha, however, could be bypassed by clicking a link to try signing in with a different Windows Live ID, which in fact allows users to attempt to log in with the same email address.
While Microsoft is correct in saying that brute-forcing is widespread, Coutee has told Eurogamer that the company has tightened security up behind the scenes.
"Shortly after the Microsoft response, the server over at Xbox.com started handling the brute force script differently," he said. "Before, it would just let you try over and over. But now it seems that, even though I'm still able to use the link to get past the Captcha, they handle the sign-in request on the server in a way that it will stop replying after 20 attempts.
"To me, this seems like they tightened security but didn't make any noticeable changes on the front end so they could discredit me. [The] good news is that at least they lengthened the time it would take to brute-force Live IDs."
http://www.edge-online.com/news/microsoft-there-no-xboxcom-security-loophole