Jason Coutee, the whistleblower who potentially outed the Xbox.com password weakness that could be behind the galling prevalence of illictly-accessed Xbox Live accounts, has reported that Microsoft may have secretly beefed up their security by limiting login attempts to 20. Partly to address the brute force issue, but also to possibly discredit the report without having to make a public admission of having an Achilles' heel. Full report after the break.
In a statement made to Eurogamer, Coutee reports that the Xbox.com servers now stop replying after 20 login attempts... which was interestingly timed to coincide with their statement over the weekend. Could the silent update have been taken to preserve public image as well as preventing future brute force attempts?
Shortly after IGN posted the Microsoft response [here], the server over at Xbox.com started handling the brute force script differently.
Before, it would just let you try over and over. But now it seems that, even though I'm still able to use the link to get past the CAPTCHA, they handle the sign-in request on the server in a way that it will stop replying after about 20 attempts. To me, this seems like they tightened security but didn't make any noticeable changes on the front-end so they could discredit me.
Good news is that at least they lengthened the time it would take to brute-force Live IDs.
Good news indeed, but if Xbox.com is the cause behind the recent hacking woes, a public apology is the very least Microsoft could do. Many of our readers have fallen prey to this spate of attacks, and frankly, they're owed an explanation.