Microsoft plugs phishing hole in Xbox site

Flaw could have been used to prey on people interested in finding out more about the new 360 console.

Ina Fried Former Staff writer, CNET News

During her years at CNET News, Ina Fried changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley.

See full bio

Ina Fried

May 25, 2005 11:39 a.m. PT

Microsoft has patched a flaw in its Xbox 360 Web site that researchers say could have opened the door to a phishing attack.

Security company Finjan Software said that it notified the software maker of the issue last week and that Microsoft patched its site within 12 hours. The flaw was what is known as a cross-site scripting vulnerability, which could have been exploited by hackers to gather credit card data and other personal information from people looking to get more information about the new game console.

"This discovery is another example of our cooperation with Microsoft and other leading software vendors to fix vulnerabilities before they are exploited by the hacking community," Finjan CEO Shlomo Touboul said in a statement.

A Microsoft representative confirmed that Finjan reported the bug and that the two companies worked to close the security hole. The representative said Microsoft is not aware of any attacks that exploited the vulnerability.

Earlier this year, Microsoft and Finjan became embroiled in a disagreement over the timing of flaw disclosure. The software giant criticized the San Jose, Calif.-based company for posting "proof of concept" code to exploit a security hole on the same day Microsoft released a patch.

Microsoft announced its plans for the second-generation Xbox earlier this month. The game player doesn't go on sale until the holiday shopping season, but the Xbox 360 Web site has gone live with some video clips, game previews and an option to sign up for updates.