Microsoft adjusts reported Live ID security concern

by Alexander Sliwinski on Jan 17th 2012 9:15AM

Microsoft has quietly altered its Windows Live ID login in response to a reported security concern. Last week, a brute force hack was exposed, with Microsoft's phrasing of error codes and infinite attempts to access accounts helping hackers along. The security flaw gained more exposure due to the ongoing "FIFA hack" and related security concerns.

"Before it would just let you try over and over," Jason Coutee, the IT consultant credited with exposing the flaw, wrote Joystiq. "But now ... they handle the sign in request on the server in a way that it will stop replying after about 20 attempts."

Coutee feels that Microsoft tightened the security, but didn't make any noticeable changes on the front end.

"Good news is that at least they lengthened the time it would take to brute force Live IDs."

Microsoft notes that the exploit was not a loophole in Xbox.com, but a brute force attack that is an "industry-wide issue."

Tags: FIFA-hack, Jason-Coutee, microsoft, xbox, Xbox-Live

Reader Comments (56)

20 attempts? Most sites give you 5 chances to get it right, don't they?

@eat it Yea sometimes only 3 times. Square-Enix for example has some of the most annoying and tight security measures I have ever seen, annoying. Oh well hopefully this gets resolved.

@eat it Some, certainly not most. That "flaw", if you want to call it that, is definitely not the only reason some accounts were accessed. You can only do so much to protect people from their own stupidity and laziness. At some people people have to take responsiblity for themselves.

As long as the carrot is dangling (FIFA trading card packs) people will continue to find exploits and phish other users. Take away the carrot and the horse stops running, it's simple logic... stop selling FIFA cards (or at least patch the broken scratch-card scam DLC so you can't trade them)... but cash rules everything around us, from Italy/Russia/Poland all the way to Redmond, Washington.

Microsoft might need some security updates, but EA is the company profiting off all of this.

@Sokaku Takeda

Could you please elaborate on why this is the consumers fault and not the fault of MS? I don't understand your argument. MS obviously has recognized the issue by changing it's woefully inadequate security measures on signing into your windows live Id account. It would seem accounts were compromised because of the sign in process that allowed for infinite attempts to sign into account. It also allowed said hackers to know whether there was an XBL account associated with that particular address because of difference in the displayed error message.

Should people have different secured randomized passwords for their various online accounts? Yes. But, if you give someone with the means infinite opportunities to crack a password it really wouldn't matter how secure the password is because it'd eventually be hacked as well. It's a deterrent but it's effectiveness is diminished if there isn't adequate measures in place by the company entrusted with secyring the data. If a thief has all the time in the world to crack a safe it'll eventually be cracked regardless of the sophistication of the combination.

@Johnnynumber5 is powered by cell

If people didn't have stupidly short passwords it wouldnt matter.

If a brute force attacker tried to guess my password a 1000 times a second, it would take them over 100 years to guess.

If your password is under 12 digits, at a bare minimum, for something as crucial as your email account, you're doing it wrong.

http://xkcd.com/936/

That being said, the changes MS made were certainly for the better. Hopefully the stupid ones will be better protected from themselves now.

@R Planateer

The first thing they need is the actual sign in credentials before they get to the part about cracking said password. That was inadvertently supplied to them by MS because of the differing display message for an incorrect password opposed to an invalid login identification. I'd bet that because of changes inacted today by Microsoft that the number of actual hacks is going to be almost non existent. Therefore I think MS are the ones to blame more so than someone with a short pass phrase. Because MS already gave them half of the solution before they ever started trying to either hack the existing password or reset it by way of security questions. Doesn't the fact that they all of a suddenly changed the amount of unsuccessful login attempts (20 vs infinite) and the error message displayed for incorrect email / passphrase make it obvious the problem has more to do with them than it does with their consumers?

@Johnnynumber5 is powered by cell

I'm not saying that MS's security was perfect-if you read what I typed, I said that the changes were for the better. Infinite logins is a bit much, although I think 5 is too low for the average user.

What I am saying is that if everyone had a decent password in the first place, it wouldn't matter. A good password is not feasible to brute force hack. Although MS's security measures clearly needed an improvment, the bottom line is that it was not a problem for anyone with a good, strong password.

The blame lies on both sides of the fence: People for having stupid passwords, and MS for not having adequate measures to prevent brute force attacks.

@R Planateer

Assuming the information we have now is accurate and true it could very well be a combination of inept passwords and equally inept security. I think the inept security is why people were targeted in the first place or we'd be seeing equal reports on psn and afaik that's not the case. So, this user base was targeted for a reason and assuming all the info we have is accurate it's because of how easy it is to get preliminary data on your target. I think another question that has to be asked is how these hackers knew which people specifically to target. So assuming you can get email addresses from the web that are tied to an XBL account how then do you know which accounts to target?

Another thing to consider is that MS is still denying there is even a problem with their WLID process. Their stance is still this is due to phising and social engeneering. I guess this recent security policy change was "coincidental."

@eat it
Different school of thoughts on this topic. As long as users are sophisticated and they set their passwords accordingly to the typical enterprise policy, this type of authentication policy can make you easily target those who try to hack. Normaly people can easily put their password incorrectly 5 times in a row.

@eat it

Here's what I would do:

Have Live users register an alternate e-mail on their account. This email isn't used for sign-in info at all. Alter the lock-out process by having the system reset the password to a random value after 5 tries. That reset password is sent to the alt e-mail on the account along with a notice of suspected account compromisation.

The hackers will be sent into a loop because they will never be able to guess the password and will have to start over every 5 times. Microsoft's way just slows them down.

Wow....again! When will stupid Sony ever learn...oh wait

I removed all payment options associated with my account anyways, just to be safe.

@Dund3r Congrats on managing to actually do that. I hear it's a nightmare.

@Roto13
Apparently nerds think that typing xbox.com and clicking through a few menus is a nightmare now?

@Roto13

It isn't as bad as expected. I contacted a customer services rep over a chat. They cancelled my XBL subscription so they could remove the linked credit card, then emailed me codes so I could get back all the time I had left on my XBL subscription. Took about a half hour and I even gained a few weeks of XBL out of the process. Definitely worth it for peace of mind.

@Dund3r It was a nightmare for me though. Made a couple calls to support and they told me some bs about taking my account offline for 2 weeks so my cc could be removed. The cc got stolen anyway so they can kiss my ass.

how is it that microsoft gets a pass when it's obvious that there is problem with it's security ....fix it already and stop blaming your damn fan base...we were not tricked through phishing scams you asshole's!!!

@dohdeaux Well *obviously* any fanbase stupid enough to keep their 360 in a tiny airtight box which they pick up and shake periodically during play is stupid enough to just give their password to whoever asks for it.

@Roto13 That was sarcasm, people, come on. It's referring to Microsoft blaming Xbox owners for the Red Ring of Death for so long and disc scratching.

@dohdeaux

"fix it already"

they did.

Microsoft notes that the exploit was not a loophole in Xbox.com, but a brute force attack that is an "industry-wide issue."

... yeah, maybe 15 years ago. Hotmail used to allow popmail requests from external sources with no lockout. Brute forcing those was a breeze -_-

Get with the times, Microsoft.

They have tight security requirements for third-parties. It's not that they don't know what they're doing, it's that they can't be bothered.

Does WLID constantly break for non-Mac users? On a Mac/Safari I constantly get stuck in endless redirect loops trying to access xbox.com and I have to visit live.com just to sign in and make it stop. No surprise given that the WLID sign-in page has been the same since before 2005.

Point is, Microsoft knows how to make software, they just cut every possible corner doing it and only update it after it's been hacked to death (Windows, IE, and now WLID).

@jynxycat I read the same thing as laughed. In my book, what the hackers were doing is the definition of a loop hole.

@jsx92

Your infinite redirect sounds more like a problem with Safari then xbox.com. I've had no problems logging in via IE/Firefox/Chrome on a Windows machine and no problem with Firefox on a Mac.

Its not just MS with issues. Hackers seem to be really trying this season.

On Google+ I innocently chatted about a specific MMO on a public timeline. Not thinking that far ahead, lets just say the email / account I used on G+ was the same as my MMO login. Not even an hour passed before I tried logging in and was locked out from (someone other than me) trying to log inti SWTOR.

Lets just say in my 30+ years I've been lucky on getting hacked and the like. G+? Deleted off all devices, and my trust of my internet brethren is gone :p *looks about room with shifty eyes*

@Negatron I don't know you, but by reading your post I'd say that it's not that you've been lucky, it's that you've been smart. Most people don't care until something happens then it's someone elses fault. I can't recall the number of times I've consulted for a business and told them they needed to change their password policy only to have them flat out refuse even the most basic of basics.

On a side note I tip my hat to Bioware with their simple but effective default security set up. I rather be locked of accnt requiring a password reset than hacked altogether.

Typical Xbox PR response.

To the customers: "Everything is fine, no problems here, this is an isolated event. Continue your entertainment purchases."

Internal memos: "Oh fuuuuuuuck. We screwed up. Fix it. Quietly."

What would really help is if they didnt tell them if the windows live ID exists or not. You should know if your own ID exists.

Well this doesn't help my friend who had his account hacked this morning. He's from New York, but now his profile lives in Italy and is selling Fifa gold packs.

5 minutes of waiting after x tentatives makes brute force impossible to be viable. so it´s not a wide industry issue

Anal Original Gangsta Hype?

I like how everyone wants to blame Microsoft. You know how much companies love to lie about things then get caught later and pay a huge fine or even worse. Everything I have heard from Microsoft so far makes complete sense. I believe most people have poor passwords. I'm not going to take peoples complaints on message boards as proof of anything else.

@(Unverified) How about the fact that this isn't happening on PSN, Steam, or most other services that require a login? What are you saying about Xbox owners exactly?

@(Unverified) It is a mix of both Microsoft and weak passwords. But bottom line is Microsoft is hiding the fact there was an issue. Even on their statement they said there was no loophole on xbox.com. Yes, there was a loophole on xbox.com. They were correct in saying that live was not hacked but they still need to own up as see that there was an issue.

@Roto13

I'm saying a lot of Xbox owners are idiots. Have you been on Live lately? I just hope a lot of these people are the hate spewing ignorants on Live who are losing their money.

@Roto13
Except for the fact that it is. It happens to Steam users, Google users, Twitter users and Apple iTunes users all the time... you just don't hear about that because it's not the cool thing to report on right now.

The moment that an article on a popular site is written about a company like Apple where users accounts are being hacked I am sure you will see the same type of thing... everyone posting about how it happened to them (over the past few years) and how horrible the company is because their account was hacked and it must be the companies fault for the hack... etc.

I think the likely culprit are those lists of email addresses/usernames and passwords out there in the wild. Plug in an email address/username to a popular service and see if you can gain access to the account using the corresponding password.

@gravemistake

The difference is the series of XBL account hacks happened all at once around the same time frame. We aren't talking about a handful of peoples accounts being compromised. This was a massive exploit in the WLID security protocols. Theft or account phishing is always a possibility and always will be but comparing random & isolated occurrences and this FIFA / XBL / WLID breach goes far beyond random people being targeted.

It sounds like you are saying this is a hit piece on MS because it's happening to everyone else. I'd say that opinion is missing the bigger picture of how widespread it's become. Lots of affected users telling similar stories at the same time. Many of whom claim to have had secure randomized passwords.

This story has some legs. Don't expect it'll go away any time soon. I think peoples frustrations are just as much with MS as they are with being hacked because they are basically being called unaware morons who were preyed upon because of their stupidity and lack of caution with respect to their online accounts.

Wish they would have implemented this like 5 days ago, before I got hacked...

20 attempts?

If you don't know it after the first 3-5 then you shouldn't be allowed to continue anyways. That's why there are security questions, account lockout, and alternate email addresses.

@Lerkero
Obviously this is an exploit. Normal process locks you out completely after three failed password attempts.

"Microsoft notes that the exploit was not a loophole in Xbox.com, but a brute force attack that is an "industry-wide issue.""

Industry wide issue? Shouldn't they elaborate on the specifics of that assertion? It'd also seem wise to publicly announce the changes in the windows live id sign in process. It sounds like they don't want to take any responsibility for these attacks even though they are obviously to blame. By not specifically addressing the issue they are setting themselves up for a possible cataclysmic public relations nightmare. This blame the consumer and industry mentality is eerily similar to the initial reporting of the rrod issue.

@Johnnynumber5 is powered by cell

"setting themselves up for a possible cataclysmic public relations nightmare"

you'd like that, wouldn't you? you've always been a huge Sony fanboy, and i know you'd like to prove that MS is just as vulnerable.

the bottom line is that this WAS a security flaw in MS's sign-in process, but one that is exceedingly easy to fix, unlike Sony's multitude of egregious security flaws. By keeping the public exposure to this incident at a minimum, nobody but the tech nerds will find out. Xbox Live will not be shut down for a month; nobody will give a shit. there will be no brouhaha, and MS will continue on. right or wrong, that's how it's gonna go. deal with it.

Phew, just in time for me to hand my code to Microsoft's PR:

10 IF complaint IS MORE THAN serious THEN GOTO 40
20 IGNORE complaint
30 END
40 IF complaint IS LESS THAN litigious THEN GOTO 80
50 PRINT 'WE HAVE HAD A SMALL PERCENTAGE OF complaint, HOWEVER complaint IS OUR NUMBER ONE PRIORITY AND SOMETHING MICROSOFT TAKES VERY SERIOUSLY, WE WILL ASPIRE TO RESOLVE THIS TO EVERYONES COMPLETE SATISFACTION'
60 RUN fix
70 END
80 PRINT 'I CAN STATE WE HAVE HAD NO ISSUE WITH complaint, MICROSOFT CONTINUOUSLY AUDITS ITS SYSTEMS TO AVOID ISSUES OF complaint.'
90 GOTO 20

@TC

I don't speak nerd, but I'll go ahead and assume that was funny enough to warrant the double posting. Maybe you can fix Joystiq's comment system while you're at it.

@TC
i think that script might be too complicated for a standard PR person to use. could you make it more basic?

@baby sea tuna Your avatar is Mario with a headcrab. Don't pretend you're not family.

In the process borking the site for Safari on iOS? Any time I try going to their site lately it goes into a login death loop ending in an error message.

| 1 | 2 | Most Recent | Next 50 Comments

Sorry, you must be logged in to leave a comment.

Breaking News

The most popular posts
in the last 7 days

Rumor: Japanese Vita devs jumping ship, Sony responds 124 comments
Buy 2 get 1 free on select Vita games at GameStop starting today 114 comments
Sony's Rohde: proprietary Vita cards 'completely necessary' to combat piracy 112 comments
Sony: Call of Duty blasting onto Vita this fall 89 comments
Asura's Wrath review: Wrecking the curve 84 comments

Microsoft adjusts reported Live ID security concern

Reader Comments (56)

Posted: Jan 17th 2012 9:22AM eat it said

Posted: Jan 17th 2012 9:25AM type2red said

Posted: Jan 17th 2012 9:50AM SokakuTakeda said

Posted: Jan 17th 2012 10:57AM jsx92 said

Posted: Jan 17th 2012 12:33PM Johnnynumber5 is powered by cell said

Posted: Jan 17th 2012 2:41PM R Planteer said

Posted: Jan 17th 2012 3:49PM Johnnynumber5 is powered by cell said

Posted: Jan 17th 2012 3:57PM R Planteer said

Posted: Jan 17th 2012 4:22PM Johnnynumber5 is powered by cell said

Posted: Jan 17th 2012 8:09PM huffhuffhuff said

Posted: Jan 17th 2012 8:13PM BlazeKing said

Posted: Jan 17th 2012 9:29AM eescala7 said

Posted: Jan 17th 2012 9:31AM Dund3r said

Posted: Jan 17th 2012 11:10AM Roto13 said

Posted: Jan 17th 2012 1:52PM REDBELTS said

Posted: Jan 17th 2012 2:28PM Dund3r said

Posted: Jan 17th 2012 7:01PM Haon said

Posted: Jan 17th 2012 9:31AM dohdeaux said

Posted: Jan 17th 2012 11:11AM Roto13 said

Posted: Jan 17th 2012 8:20PM Roto13 said

Posted: Jan 18th 2012 1:31AM maveric101 said

Posted: Jan 17th 2012 9:34AM jynxycat said

Posted: Jan 17th 2012 10:42AM jsx92 said

Posted: Jan 17th 2012 11:14AM DMS0205 said

Posted: Jan 18th 2012 1:14AM This Little Man Says His Name Is said

Posted: Jan 17th 2012 9:42AM Negatron said

Posted: Jan 17th 2012 9:55AM SokakuTakeda said

Posted: Jan 17th 2012 10:28AM Negatron said

Posted: Jan 17th 2012 9:54AM SurlyDuff said

Posted: Jan 17th 2012 10:20AM DarkNightRJ said

Posted: Jan 17th 2012 10:37AM honeycut1 said

Posted: Jan 17th 2012 10:41AM Koming said

Posted: Jan 17th 2012 10:50AM Dick Socrates said

Posted: Jan 17th 2012 11:05AM (Unverified) said

Posted: Jan 17th 2012 11:22AM Roto13 said

Posted: Jan 17th 2012 11:26AM DMS0205 said

Posted: Jan 17th 2012 1:24PM (Unverified) said

Posted: Jan 17th 2012 2:06PM gravemistake said

Posted: Jan 17th 2012 4:02PM Johnnynumber5 is powered by cell said

Posted: Jan 17th 2012 11:13AM (Unverified) said

Posted: Jan 17th 2012 12:17PM Lerkero said

Posted: Jan 17th 2012 1:54PM REDBELTS said

Posted: Jan 17th 2012 12:18PM Johnnynumber5 is powered by cell said

Posted: Jan 18th 2012 1:39AM maveric101 said

Posted: Jan 17th 2012 12:47PM TC said

Posted: Jan 17th 2012 1:07PM baby sea tuna said

Posted: Jan 17th 2012 6:27PM damnreds said

Posted: Jan 17th 2012 8:23PM Roto13 said

Posted: Jan 17th 2012 12:53PM TC said

Posted: Jan 17th 2012 2:30PM butaneko said

Info

Description

MSRP

Release Date

Genre

Developer

Publisher

Rating

Breaking News

Amnesia: A Machine for Pigs is the next title from Frictional Games and Dear Esther dev

Featured Stories

Building A Machine for Pigs and expanding the universe of Amnesia

Persona 3, Tactics Ogre, and other PSP RPGs that will live on my Vita

Tekken 3D Prime Edition review: Far from prime edition

The most popular postsin the last 7 days

Engadget

TUAW

Massively

WoW

The most popular posts
in the last 7 days