Microsoft flaw allows user to add money to their own account

A Brazilian security researcher discovered three vulnerabilities in the Microsoft Store platform, aimed at the purchase of applications and games, which allow from the generation of cold invoices to the fraudulent increase of money in the account itself.

Researcher Marlon Fabiano, also known by the nickname “Astrounder”, is an ‘old acquaintance’ of the Microsoft community. In August 2020, he discovered a vulnerability in the Xbox Live subscription platform that allowed anyone to register Xboxlive, Gamepass and Gamepass Ultimate subscriptions for free.

Microsoft denied the vulnerabilities, but they were corrected as a result

Microsoft has been alerted by TecMundo about the new vulnerabilities and replied: “We reviewed the reports and information we received and found no security vulnerabilities. We encourage the researcher to contact the Microsoft Security Response Center with additional information so that we can assess any complaints and take the necessary steps. ”

The researcher contacted Microsoft previously and was not seen. Weeks after contacting the TecMundo with the company, the vulnerabilities were corrected and Marlon Fabiano still had his account blocked, in a completely unreasonable movement carried out by the responsible team at Microsoft.

msMicrosoft Store

The vulnerabilities

The first bug allows a malicious agent to generate invoices for Xbox games even if the purchase is not made. This vulnerability could be used by a scammer to make money through Microsoft’s financial losses.

Xbox will pay the tax on the game sold and the scammer can profit up to 30%

In São Paulo, for example, there is the “Nota Fiscal Paulista” program: the consumer redeems part of the amount paid for products / services in tax. That is, an attacker could raise money through this bug with fraudulent invoices.

“As the Microsoft Store generates NFs without any kind of control, it is possible to try to purchase games in pre-sale without paying for them and even when the game licenses are revoked for non-payment, the scammer will receive the game invoice as if you had made the purchase, ”said Marlon Fabiano. “And with that the Xbox will pay the tax amount of the game sold and the scammer will be able to profit up to 30% of the value of the ICMS”.

msPart of the process

Infinite money

Another vulnerability found by the researcher allows stealing good money from Microsoft. Basically, the bug consists of creating an online mess with an alleged purchase and, when noticing the problem with the customer, Microsoft usually sends a “gift” of R $ 27. The failure allows to abuse this scheme to receive several “gifts”.

“Continuing the same reproduction of the previous bug: when we received the invoices for the purchased games, but we did not receive the purchased game, there is a window where you can play the purchased games with the bug 1-3 days after its release. After that the license of the game will be revoked and you will not be able to play it anymore. With this, there is a process that validates to identify whether the user who received the invoice also received the game ”, explains the researcher.

A malicious agent could create multiple accounts, add money to those accounts and resell the games

“If the user, even after receiving the invoice, has not yet received the game, the purchase price will be refunded to the registered credit card. However, as we do not have a valid card for the chargeback, we do not receive a refund. So, to alleviate all this confusion with the purchase and to please your customer, Microsoft sends a “treat” of R $ 27.00 ”.

The researcher proves that it is possible, in a “patient” way, to perform this process several times in order to receive reimbursement money. A malicious agent could create multiple accounts, add money to those accounts’ wallet and resell the store’s games. “As there is an option to buy the game as a gift, the games could be sent to any Xbox Live user,” he says.

Another important point is that there is no segregation in Microsoft Store and Xbox stores. Therefore, if a good value is added to the user’s account, in addition to games, this user will be able to purchase Windows, Office 365 licenses, mice, notebooks, etc.

msPart of the process

Buying gold and paying bronze

The third and final vulnerability follows the same logic as the previous ones. This time, it allows a malicious user to buy games / apps in the Ultimate / Deluxe version and pay the standard version. In other words: select the most expensive version possible and pay for the cheapest possible.

“Follow the same steps we used to generate invoices without paying for the game. The difference is that in this case we must choose the most expensive version of the game. Performing the test in the Watch Dogs Legion game in which the Standard edition costs R $ 279.95 and the Ultimate edition costs R $ 459.95. We purchased the Ultimate Edition game with an invalid card and when this game is released we will have the license revoked. And if we try to play it after its launch we will receive the message that the game must be purchased again ”, explains Fabiano who continues:

This gives us savings and losses for Microsoft / Ubisoft of R $ 180.00

“The problem is that Xbox revokes only the license for the game and not the license for premium content, Season Pass, DLCs, etc. So in this case, even though we no longer have the base game license, we still have the license for all the rest of the premium content. Now to enjoy the Ultimate edition game (value R $ 459.95), we only need to buy the standard version of the game paying R $ 279.95. This gives us savings and losses for Microsoft / Ubisoft of R $ 180.00 ”.

The latter process was delivered in more detail, as Microsoft said there was no vulnerability – and yet it corrected the flaw in the process.

Marlon Fabiano acted as an ethical hacker: he found the fault, made an error-free report to the responsible company, and only after months without an answer did he contact the TecMundo. Unlike how companies have been looking at cybersecurity recently, Microsoft has denied the flaw, corrected it nonetheless and even banned Fabiano’s account. The researcher should be rewarded, not cornered.

msPart of the process

How to report

THE TecMundo supports the work of ethical hackers. Contact us on the following channels:

Leave a Comment