Through a gap in the network of Xbox Live, the mail addresses to the Gamertags could be easily spied out.
Weakness not critical at first!
Xbox Live had a security hole in its network, this allowed to find out the mail addresses to the gamer tags. Responsible for security at Microsoft is the Microsoft Security Response Center (MSRC). They did not consider the problem to be critical for the time being. In their opinion, mail addresses are not sensitive data and would not pose a security risk. The MSRC therefore does not want to pursue the issue any further. However, the problem was then forwarded to the team responsible for this issue and they saw the whole thing, but in a slightly different way than MSRC. The team became active immediately and the bug was fixed.
Hacker informed about the gap!
The vulnerability was discovered by a hacker. This hacker contacted the magazine Motherboard and pointed out the vulnerability in the network. The vulnerability was found on the Xbox Enforcement portal, where Microsoft provides information about security and the code of conduct. Through this portal, users can also contact the policy team. In his message to Motherboard, the latter claimed to have access to the mail addresses for the gamer tags. No matter which Xbox gamertag, he can find out the mail address to it. To verify the information, the journalists sent the hacker two gamer tags. One of them was also created recently to make sure that the hacker does not only access a database. It didn’t take long before the journalists received the correct email addresses for the gamer tags. The magazine also informed Microsoft about the vulnerability in their network.
So that no one else could get at the data, the hacker asked the magazine Motherboard to make the vulnerability public only after it was closed. It was probably an easy matter to figure out how to get to the mail addresses for the individual gamer tags. Instagram also had such a gap, where the mail addresses to the accounts could be determined. Both vulnerabilities are said to have been very similar. The magazine Motherboard had also talked to other security experts on the subject. There was no surprise here, these gaps have probably been “known for years”.