[WASC-WHID] WHID 2011-62: Another Xbox Live director hacked!

WASC Web Hacking Incidents Database wasc-whid at lists.webappsec.org
Mon Apr 25 20:02:23 EDT 2011


Ryan,

http://www.networksolutions.com/, rather than Stepto, was social
engineered and subsequently his DNS records were modified by
"PredatorSik" and the password reset to Stepto's X-BOX LIVE Account.

BTW, his handle is "PredatorSik" *not* "Predator" i.e.
http://twitter.com/#!/PredatorSik

YouTube URLs (now removed)
http://www.youtube.com/v/ryfZv_qq7Uk
http://www.youtube.com/v/f_jDglN0wVs

Mirror of the YouTube Video
http://www.tarreo.com/noticias/12607/Roban-la-cuenta-del-jefe-de-Politicas-de-Xbox-LIVE/
- scroll down towards the end of the post but before the comments.

On Mon, Apr 25, 2011 at 11:13 PM, WASC Web Hacking Incidents Database
<wasc-whid at lists.webappsec.org> wrote:
> Entry Title: WHID 2011-62: Another Xbox Live director hacked!
> WHID ID: 2011-62
> Date Occurred: April 6, 2011
> Attack Method: Social Engineering
> Application Weakness: Insufficient Process Validation
> Outcome: Account Takeover
> Attacked Entity Field: Entertainment
> Attacked Entity Geography:
> Incident Description: A hacker known as “Predator” has been able to phish
> information from Xbox Live’s Director of Policy and Enforcement, Stephen
> Toulouse (aka “Stepto”), gaining email and address information via his
> personal website server and was then able to alter the Chief’s details
> online.
> Mass Attack: No
> Reference: http://blog.gadgethelpline.com/xbox-live-director-hacked/
> Attack Source Geography:



-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact




More information about the wasc-whid mailing list