Ray Walsh

Ray Walsh

October 31, 2017

xbox vulnerabilityYou might not be aware, but your Xbox Live account poses a number of security risks. In this article, you will find out what those Xbox vulnerabilities are and how to protect yourself against them.

Microsoft designed the Xbox to be secure. However, despite their best attempts, a number of vulnerabilities expose Xbox Live account users to cybercriminals and hackers.

Sign up to our newsletter

Receive the best guides and privacy news weekly.

Newsletter sign up

Sign up to our newsletter

Receive the best guides and privacy news weekly.

We promise never to share your email address, ever.

How a 5-year-old Discovered an Xbox One Hack

In 2014, a story emerged about a 5-year-old boy who managed to bypass his Father’s Xbox One password. When prompted for a password, the young boy hit the spacebar a few times before pressing enter. Unbelievably, it worked, and he was granted access to his Dad’s Xbox Live account. It wasn’t a one-time glitch either.

The vulnerability discovered by Kristoffer Wilhelm von Hassel was real, and Microsoft went on to credit him with finding the exploit. Soon after, Microsoft issued a patch. So you shouldn’t need to worry anybody bypassing your password, as long as your system is up-to-date.

The Xbox Live Account’s Most Important Security Vulnerabilities

One Xbox exploit that you need to be aware of first came to light in 2012. At that time, hackers were discovered using lists of gamer tags, accumulated during live games, to search Google for social media accounts belonging to those players. The hackers hoped to discover those users’ Windows Live email address – and possibly even a Windows Live ID.

xbox live account

According to this whitepaper, “hackers would then return to Xbox.com and type in the newly-found email address and a random password. If they received a message indicating the account does not exist, they would move to another email address. If they received a message that the email address or password was incorrect, the hackers would brute force attack the account with a script of dictionary passwords.”

After eight password attempts, Xbox asks the hacker to solve a CAPTCHA or gives them the option to “try with another Live ID.”  This permits the hacker to have another eight tries. By automating this process, hackers are able to slowly work their way through a dictionary of common passwords.

xbox live account vulnerability

If successful entry to the Xbox Live account is achieved, the hacker is able to steal the account holder’s credit card details. In addition, the hacker may steal third-party services already paid for (such as a Netflix account).

It doesn’t stop there either. Hackers could also “spend the user’s points, make purchases, change the user’s gamer tag and password, and change the email address associated with the account”

This vulnerability brings to light the dangers of sharing email addresses and Live IDs online. It is concerning because it can lead to credit card fraud. However, there are more vulnerabilities that users – specifically parents – need to be aware of. Especially when taking into account that the majority of Xbox users are middle school and high school children.

How To Minimize Xbox Live Vulnerabilities

The first thing that Xbox users must consider, is whether the console has recently received security updates. When a new game is purchased, a security update prompt will be offered. Users should always download these security patches, as they are designed to fix newly discovered vulnerabilities that could be exploited by hackers. This is an advantage of associating an Xbox with a Live account, even if no additional purchases are made.

That said, if users are playing old games on an Xbox live account – or have previously decided to save time by dismissing a security update – this could lead to an outdated Xbox system that is vulnerable to attacks.

xbox live account vulnerability warning

Don’t share your Windows Live email address or ID online

Due to certain vulnerabilities, anybody that does attach their Xbox to a live account should be very careful never to disclose the email address and Windows Live ID associated with the account online. In addition, it is essential that the username is chosen carefully and never hints at a real name, address, hometown, or email address.

Password protect Xbox accounts to stop them being compromised

Users should also ensure that their console always asks them for their Windows Live ID and password when they sign into their Xbox Live account. Individual user profiles should also set up passwords on the console.

Profile Awareness

This might seem obvious to players themselves, but parental guardians may not know: Player IDs follow the player themselves and are not attached to a single console. That means that users can log in to their profile from a friend’s console.

This raises concerns because an Xbox live account does not just let people play games – it allows them to chat with 40 million users worldwide. It is even possible for people to pair off in twos and chat privately. Hackers may try to fool the user into divulging their details, which could lead to credit card theft. For this reason, parents may want to sign into Xbox live with a private password that only they know.

It is also worth remembering that Deactivating Xbox Live does not cancel the account. That means that a child can still connect to their account at a friend’s house. The account itself must be canceled to stop it being accessible on other consoles.

Mandatory Permissions

It is also possible to set up a feature on Xbox Live that asks for permissions to be granted before new friends are added, games or chats are started, and Xbox merchandise is purchased. This can be done in console controls and stops anyone from doing things on the account without your awareness.

Control what the user hears in-game

Some games expose users to random players who use abusive language. For users that don’t want to hear these people -or don’t want their children to hear those players – it is possible to set who is heard in-game from “everyone” to  “friends only” or “no one”.

Who set up the Xbox Account?

Parents should always set up the Xbox Live account. If the parent did not set it up, then the child is playing on an adult account. Child and teenager accounts are usually automatically restricted to “friends only”, and certain features are blocked. If you didn’t set up the account yourself, all settings should be checked to ensure that your child is secure.

Visit Xbox Customer Service

For more information on how to protect an Xbox account visit the Xbox site.

Title image credit: ArtSimulacra/Shutterstock.com

Image credits: chrisjohnsson, amirraizat/Shutterstock.com, Aquir/Shutterstock.com, Tinxi/Shutterstock.com