Microsoft Takes Countermeasures After Xbox Live SSL Certificate Blunder

Since the keys have been leaked, connections may not be secure.

Microsoft has issued a warning that the Xbox Live website is susceptible to attacks after the company “inadvertently disclosed” a security certificate. “The certificate could be used in attempts to perform man-in-the-middle attacks”.

The news was announced in a tweet from Xbox Live’s Director of Programming Larry Hryb, and will come as a welcome development for PC users who had been unable to utilise the Xbox One’s wireless controller for PC functionality. In a statement (via GameSpot sister site ZDNet), Microsoft said it is “not now aware” of any attacks that were related to the issue and is working to resolve it. Essentially meaning that the impersonation can trick an Xbox user into handing over their username and password, which means even further attacks.

However at launch it seemed that Microsoft was intent on promoting Windows 10, so much so that support for the device was only available for Windows 10 PCs.

System administrators have a bigger headache to deal with: an update issued today for Microsoft Windows DNS that patches a remote code execution vulnerability.

Patrick Hilt, CTO of Miracl told SCMagazineUK.com that the incident underscores a fundamental architectural flaw inherent to the design of PKI, which is the security infrastructure that underlies digital certificates. Without giving any explanation on how the digital certificate was “inadvertently disclosed”, Microsoft has started fixing the issue by pushing updates to all the products.

Xbox Live has millions of registered users and a large number of the users have their credit-card details on their respective Xbox Live accounts.

Josh Goldfarb, CTO of Emerging Technologies at FireEye, told SCMagazineUK.com that although there is potential for abuse here, the risk is relatively easy to remediate by updating the list of trusted certificates.