XBox Gamertag Exploit Opens Door For Social Engineering

| | Comments (0)
Here's a rather worrying exploit on the XBox Live service that opens users up to profanity and (more seriously) the possibility of being socially engineered by people who appear to be official Microsoft representatives and / or people working for videogame companies.

What are they doing?

When you have an XBox Live account, you have a Gamertag - in other words, your username. Microsoft have things like profanity filters in place to ensure your username isn't full of swearwords, and it costs money to change your gamertag so in general it's unlikely someone is going to keep changing their gamertag simply to hassle someone. As a result, people who do hassle others on XBox Live are fairly easy to keep track of and hit with the banhammer when needed.

However - in the last few days, it seems an exploit (previously kept secret) has been leaked on a number of forums, and now it's rapidly spreading across the interwebs (or the gaming portion of it, anyway). As with all of these XBox related problems, it stems from being able to connect the console to the PC, edit data then place it back onto the console.

Without going into too much detail, you use a combination of this:

....and this:


....and then thoroughly hexing your data. Once this is done, your gamertag (when in a game) will temporarily look like whatever you placed into the edited data. Those of a nervous disposition sensitive to copious amounts of swearing might want to look away now:

Avert your eyes, children, originally uploaded by Paperghost.

Amazingly, you're not supposed to be able to do that.

However, this exploit not only allows you to call yourself Sweary Mc Swearword, it also allows you to leave the name space entirely blank, which results in much confusion and a decrease in the possibility of you being reported for bad behaviour. As you can see, these fake names filter through to services associated with XBox Live, so Bungie (creators of the Halo franchise) quickly end up with swears and / or blank names on their statistics pages. Here's a blank name:

The Invisible Man, originally uploaded by Paperghost.

...and here's some extremely offensive swear words, along with multiple users claiming to be Shishka, a well known Bungie staff member.

Swears and Shiska, originally uploaded by Paperghost.

Of course, this raises an important issue - if people can pretend to be well known videogame staff, they can also pretend to be Microsoft employees and then blow the doors wide open with regards phishing for information and / or login details. We'd already seen a few people talking about pretending to be "Microsoft admins", when someone emailed the following screenshot to us:

Hi, I work for Microsoft. No seriously., originally uploaded by Paperghost.

I've no idea who this person is, but as you can see, they claim to be "Microsoft!" Combine this with people running around in videogames asking for login credentials, and you have a bad situation.



We've passed on what we have to Microsoft and hopefully they'll address this issue quickly. For now, be wary of anybody claiming to be from videogame companies and Microsoft. If in doubt, headshot the sucker..

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on August 3, 2009 7:55 PM.

The Matrix Online Dies, Is Replaced By Toolbars was the previous entry in this blog.

The Cost Of Inflation is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.