Microsoft has patched a bug in the Xbox website that could have allowed threat actors to link Xbox gamer tags (usernames) to users’ real email addresses.
The vulnerability was reported to Microsoft through the company’s recently launched Xbox bug bounty program.
Joseph “Doc” Harris, one of the several security researchers who reported the issue to Microsoft this year, shared his findings with ZDNet earlier this week.
The security researcher said the bug was located on enforcement.xbox.com, the web portal where Xbox users go to view strikes against their Xbox profile and file appeals if they feel they have been unfairly reprimanded for their behavior on the Xbox network.
After users log in to this website, the Xbox Enforcement site creates a cookie file in their browser with details about their web session, so they won’t have to re-authenticate the next time they visit the site again.
Harris said that