Microsoft 'Inadvertently Disclosed' Xbox Live Keys, Putting Accounts At Risk

Here's a bit of a strange issue. Microsoft, via its TechNet website, has said that the encryption keys used to secure the connection between a Windows PC and the xboxlive.com domain have been "inadvertently disclosed." At the current time, Microsoft isn't telling us exactly how that happened, but the fortunate thing is that the company has been rather quick in issuing a fix.

With encryption keys that are used to validate a security certificate in the hand of malicious users, man-in-the-middle attacks could be performed. A MITM attack is when a connection is interfered with to either fetch the traffic information or reroute it. We saw an example of a MITM attack earlier this year when the Chinese government redirected Baidu search traffic to help take down GitHub, a source code hosting website that allowed users to get around "Great Firewall of China" limitations.

Credit: Gage Skidmore

One thing that stands out about this issue is that Microsoft's TechNet page states that the previous *.xboxlive.com certificate became invalid after December 1, whereas the updated keys and certificate were only just released (through Windows Update). This does seem to imply that for at least a week, connections to xboxlive.com were not secured.

It's important to note that this issue didn't affect the Xbox 360, Xbox One, or Xbox Live service itself. Instead, it only applied to the website when accessed through a computer or Windows smartphone. Ultimately, despite the key leak being notable, the overall risk was quite minimal, especially given how quickly it was rectified.

Even so, for an important security key to be accidentally released is downright bizarre. We of course hope that Microsoft will take steps to make sure that this doesn't happen again in the future.