Microsoft Accidentally Leaks Xbox Live Keys, User Data at Risk of Man-in-the-Middle Attacks


Private security keys securing Xbox Live accounts have been "inadvertently disclosed," after which Microsoft was forced to update its Certificate Trust List (CTL) for all the supported releases of Microsoft Windows.

Xbox Live

Xbox Live at the risk of MitM attacks:

Encryption keys that secure Xbox Live accounts are designed to confirm the authenticity of a digital certificate when a user connects to domain. Since these private keys were leaked by Microsoft, connections made to the site may not be secure. There is no information about how this leak happened, however, to remedy the problem, Microsoft has updated its CTL for all the releases of Microsoft Windows.

This leak means an attacker could intercept the data being transmitted between a user and Microsoft's servers by impersonating the domains in a typical man-in-the-middle (MitM) attack fashion. Essentially meaning that the impersonation can trick an Xbox user into handing over their username and password, which means even further attacks.

The certificate could be used in attempts to perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue. - Security Advisory

Microsoft says it's not aware of any attacks and that the users should be safe after installing all the recommended updates. Patrick Hilt, CTO Miracle commented to SCMagazine that this is not a solution but "just mitigation. Older versions of Windows don't automatically update the CTL unless CTL updater service is manually installed, which will leave some machines open to a MITM attack." However, John Gunn of Vasco Data Security commented to the same report that large-scale attacks, placing significant numbers of Xbox Live users at risk "are simply not going to happen." He further added, "the leak does open the door to possible man-in-the-middle attacks, but hacking organisations with the potential to inflict serious damage have other methods of attack that will yield better results than this could."

While "this type of disclosure can prove attractive to attackers looking to fool or trick users into giving over private or sensitive information," Josh Goldfarb, CTO at FireEye told BBC News, "the risk is relatively easy to remediate by updating the list of trusted certificates."

Whatever the extent of attacks, users are strongly advised to download and install all the recommended update for Windows, updating the lists of trusted certificates on their systems.

You can find more details and recommendations in the advisory note.