Xbox Live Certificate Leaked, Microsoft Warns of Possible Attacks

Security certificate "inadvertently disclosed," Microsoft says.

62 Comments

Microsoft has issued a warning that the Xbox Live website is susceptible to attacks after the company "inadvertently disclosed" a security certificate. In a statement (via GameSpot sister site ZDNet), Microsoft said it is "not currently aware" of any attacks that were related to the issue and is working to resolve it.

It's also important to note that this issue is not related to the Xbox One or Xbox 360, but rather only Windows 10 and Windows Phone devices, according to a list of affected platforms.

No Caption Provided

"The certificate can be used by an attacker to impersonate the xboxlive.com domain and carry out a so-called 'man-in-the-middle' attacks, which allows the attacker to intercept the website's secure connection," ZDNet explains. "This could trick Xbox users into handing over their username and password, potentially leading to further attacks on the user."

Here's what Microsoft had to say in its own statement on the matter:

"Microsoft is aware of an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed," it said. "The certificate could be used in attempts to perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows."

"To help protect customers from potentially fraudulent use of the SSL/TLS digital certificate, the certificate has been deemed no longer valid and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of the certificate."

More details about this security issue are available at Microsoft's website.

Got a news tip or want to contact us directly? Email news@gamespot.com

Join the conversation
There are 62 comments about this story