Xbox promo site targeted in Microsoft Points exploit
People looking to get free virtual currency from Microsoft found a way earlier this week--to the tune of $1.2 million--by exploiting the URL headers of a promotional site handing out Microsoft Points.
A number of people have made off with a chunk of virtual change--an estimated $1.2 million--from Microsoft as part of an exploit that left one of the company's promotional sites spitting out codes for free blocks of Microsoft Points.
The exploit, which was discovered by forum members of enthusiast site The Tech Game over the weekend, centered on a promotion Microsoft was running on a temporary site that offered users a choice of two free days of Xbox Live Gold, a virtual item for their Xbox Live avatar, or 160 Microsoft Points. While a small denomination, 160 Microsoft Points equals $2, which could then be stacked with existing account balances, making the item the most appealing target of the bunch.
The attackers devised a way to tweak the URL of the promotional site to have it repeatedly spit out codes, with most going for the free points. According to games blog Save and Quit, Microsoft shut the site down within hours of the exploit being unearthed (following its buckling under the surge of traffic), but not before enterprising users made off with an estimated $1.2 million in virtual currency.
A Microsoft representative told CNET that all the generated codes have since been invalidated, and that the company was "evaluating" a number of accounts to see if they violated Xbox Live's terms of use:
"We are aware of the situation and have taken steps to invalidate the codes obtained illegitimately. We take safety and security very seriously and require that Xbox LIVE members use the service in compliance with applicable laws and specifically prohibit people from engaging in illegal activity as a part of our Terms of Use and Code of Conduct. Our Policy and Enforcement team is evaluating whether or not certain individuals have violated the Terms of Use for Xbox LIVE and will take the appropriate enforcement on an individual basis. Codes obtained legitimately by users will not be impacted."
Microsoft's Points system remains the main currency used on the Xbox Live and Zune Marketplaces, as well as in Windows Live Gallery. Users can buy points in various denominations, from 400 ($5) all the way to 4,000 ($50), either online or in retail stores. Microsoft recently decoupled its necessity for purchasing game downloads and add-on content from its Games for Windows Live service, allowing users to have charges sent to credit cards instead.