Microsoft has once again denied that Xbox Live's security has been threatened, despite new allegations that hub site Xbox.com has a flaw that makes it especially vulnerable to brute force attacks.
While we've been hearing reports of hijacked accounts for months now, last week brought renewed interest in the rash of hackings as network infrastructure manager Jason Coutee offered a possible explanation. According to Coutee, the Xbox.com login page features a security flaw that makes it very simple to run a "brute force" hacking attempt — repeatedly attempting to log in to an account by guessing the password. While the site does throw up a captcha after after multiple failures, clicking a single link on the page will remove that requirement and allow potential hackers to begin again fresh.
When he tried to warn Microsoft about the problem, Coutee says he was met with disinterest and ultimately ignored outright.
Now, Microsoft has responded to the allegations, explaining to Metro why they didn't listen to Coutee's warning.
"For security reasons, we do not publicly discuss the architecture of the Xbox Live system or account security," the rep explained. "We direct concerned customers to the forums where we monitor for topics such as security concerns. Security in the technology industry is an ever-changing process. With each new form of technology designed to deter attacks, the attackers find new ways to subvert it. We continue to evolve our security features and processes to ensure Xbox Live customers information is secure."
And as for the loophole on the Xbox.com login page? MS claims it's a non-issue.
"This is not a 'loophole' in Xbox.com. The hacking technique outlined is an example of brute force attacks and is an industry-wide issue."
On the one hand, they're absolutely right. Brute-force hacking attempts are a common problem, and Xbox.com is far from unique in that regard. On the other, it's entirely possible (and good security practice) to implement a timed lockout on a per-account basis, rather than offering an infinite number of attempts with captcha.
Despite the public denials, Microsoft could certainly be doing more to protect its customers, and I wouldn't be surprised if they quietly update Xbox.com to close the security holes in the coming weeks.
