Skip to main content

Microsoft updates its Certificate Trust list due to Xboxlive.com certificate leak

Microsoft is trying to deal with a security issue that could allow malicious users to trick a Windows users into giving out their Xbox Live username and password. The problem was revealed this week when the company issued a security advisory, stating that the private keys to the digital certificate for the xboxlive.com web site had been "inadvertently disclosed".

The statement said:

"Microsoft is aware of an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue."

Microsoft has already updated its Certificate Trust list for all versions of Windows, so that the leaked certificate for xboxlive.com has been revoked. The company did not reveal how the certificate had been disclosed in the first place.

Source: Microsoft (opens in new tab); Via: ZDNet

20 Comments
  • Wow... Great news..
    I also hacked Msft test certs :p
  • Good thing that Microsoft acted fast. Otherwise, we'd all be screwed.
  • Yeah at least that's 1 thing carriers don't control
  • Well thank goodness that Microsoft saw it. Posted via the Windows Central App for Android
  • Anyone else been getting prompts from Edge to "choose a certificate"? I know I'm not the only one affected by this, I just want to know if it's a widespread issue. I'm wondering if it'​s a bug related to this.
  • Using IE, but yes I have been seeing the same thing.
  • Ah, good to know you're getting this with IE, too, so as I suspected, it's not just an issue with Edge. Are you on Windows 10?
  • Yeah, I've been seeing it too, using IE on W10. It just started yesterday. I just cancel, since I didn't know what was going on.
  • Same here but it's irritating. Even more irritating is that I haven't been getting it for some hours now even though I didn't change anything and I only kept clicking cancel.
  • I think it's a doubleclick configuration problem. Saw mention of it on twitter last night.
  • Yep blame google Ads
  • Hm, that COULD be it...where on Twitter did you see this mentioned?
  • Nevermind this, looks like you were right. It also looks like this has been fixed since I haven't got this in a while.
  • Maybe that would explain why I lost connection to Live ten minutes ago during a game of Destiny.
  • Explains the problems with ubisoft xb1 live servers
  • Nadella!
  • Ugly stuff. Good thing they caught it.
  • A security architecture that is difficult to maintain will fail continously.  Accidental/inadvertain release of anything important is not a good security architecture.  The only way to release anything important should take great effort and not be easy/accidental.
  • You threw a bunch of buzzwords together without saying anything. Are you a manager?
  • Oh dear....
    Least it's been revoked.
    Rather concerning that the private key was disclosed. I guess someone stole a very cherished stapler :P.