Skip to main content

My Xbox Live 1.0 for Android – Cleartext Storage of Sensitive Information

Summary
=======
My Xbox Live application for Android (version 1.0) stores sensitive information in cleartext within the SQLite database.

Microsoft was originally notified of this issue November 29, 2012.

The details of this issue were made public February 12, 2013.

CVE number: Not Assigned
Impact: Medium
Vendor homepage: 
http://www.xbox.com/
Vendor notified: 11/29/2012
Vendor fixed: 1/18/2013
Credit: Christopher Emerson of White Oak Security (https://www.whiteoaksecurity.com/)

Affected Products
================
Confirmed in Xbox Live application for Android (version 1.0). Other versions may also be affected.

Details
=======
When a user successfully signs into the application, the user’s username and password are stored in cleartext within the webview.db > password table.

Impact
=======
The user’s Xbox username and password could be accessed by any other application with permissions to read that table.  An attacker could use those credentials to impersonate the user and potentially access the valid user’s content and purchase additional content with any saved payment devices.

The impact could be much greater if the user’s Xbox account is tied to other Microsoft services such as Skype, web mail, etc…

Furthermore, the cleartext credentials will be stored on the user’s mobile phone which makes them more easily accessible to an attacker with access to the device.  This significantly lowers the difficulty of exploitation.

Solution
========
The vendor has release a server update which removes the users password from webview.db.

Disclosure Timeline
==============
November 29, 2012: Disclosed to vendor (Microsoft Security Response Center).
November 30, 2012: Vendor’s initial response.
January 17, 2013: Vendor stated a fix would be implemented 1/18/2013.
January 18, 2013: Vendor implemented server-side fix.
February 12, 2013: Disclosed vulnerability publicly.