Microsoft Plugs Phishing Hole on Xbox360 Site

Microsoft has applied an update to its Xbox360.com Web site to address a cross-site scripting vulnerability that could have been exploited by phishers to snag sensitive personal information from online gamers.

The flaw was discovered by San Jose, Calif.-based IT security services firm Finjan Software Ltd. and fixed within 12 hours.

Finjan did not publicly release details of the vulnerability, which the company said could potentially be exploited to hijack e-mail addresses, home addresses, credit card numbers and other confidential information from customers that pre-ordered the brand-new game console.

The company said in a statement that on May 19 it provided Microsoft with “full technical details, including proof-of-concept, concerning the vulnerability, in order to assist Microsoft with the fix,” the company said in a statement.

Finjan confirmed that the Web site, which makes heavy use of Flash technology, is no longer exposed to the scripting flaw.

Microsoft uses the Xbox360.com site to provide information to consumers about the Xbox gaming system. It also serves as an extension of the Xbox Live subscription service and requires users to provide personal information, including credit card data, to create accounts and make online purchases.

/zimages/4/28571.gifClick here to read anti-phishing protection tips from contributing editor David Coursey.

The site uses the Microsoft .Net Passport service to provide registration and sign-in services.

Separately, security-alerts aggregator Secunia has raised the alert for a “moderately critical” denial-of-service flaw in “Halo: Combat Evolved,” a popular PC game developed by Bungie Studios and published by Microsoft Games.

The vulnerability, which affects version 1.06 and Custom Edition 1.00, is caused by an error in communication handling.

/zimages/4/28571.gifRead more here about Microsofts new Xbox.

“This can be exploited to cause a vulnerable service to enter an infinite loop and consume a large amount of CPU resources by sending a specially crafted UDP [User Datagram Protocol] datagram to the server,” Secunia warned.

A detailed advisory has been published by Luigi Auriemma, the security researcher that discovered the “Halo: Combat Evolved” bug.

In the absence of a fix, Secunia recommends that games be hosted on a trusted network only.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.