Skip to main content

Finding an Exploit and Annoying the Xbox Dev Team

How a late-night coding session turned into an Xbox exploit that got Major Nelson's attention and ended with my access getting cut off.

Introduction

So this is the story of how I accidentally annoyed the Xbox dev team and got Major Nelson's attention — all from a late-night coding session.

How It Started

I was gaming one night, half-listening to the Rooster Teeth podcast (episode 355). They were talking about how you could view Xbox game clips and screenshots, including ones people had marked as private. That got me thinking.

Building the Tool

Xbox One lets players record game clips and screenshots. I wondered — could I build a simple tool that pulls anyone's clips using just their gamertag? So I started writing a JavaScript script and a little website to do exactly that.

Finding the Exploit

I started poking around the Xbox website using Chrome DevTools. Turns out there were JSON endpoints that loaded game clips and screenshots with zero authentication. You could just swap out the gamertag in the URL and see anyone's stuff. That was the whole exploit.

Here's a glimpse into the JSON file structure:

{  
   "result": true,
   "data": {  
      "ContinuationToken": null,
      "Screenshots": [  
         {  
            "Id": "9e8a5803-a495-4a29-b21a-c64602434393",
            "Scid": "c4060100-4951-4a51-a630-dce26c15b8c5",
            "Name": "",
            "Uri": "http://screenshotscontent-t5002.xboxlive.com/000900000284f400-9e8a5803-a495-4a29-b21a-c64602434393/Screenshot-Original.png?sv=2014-02-14\u0026sr=c\u0026sig=K8Tn%2FgFZeSH8hi6porRPNC18RXkIIfveQoKa00D6zp4%3D\u0026st=2015-09-07T21%3A31%3A54Z\u0026se=2015-09-07T22%3A36%3A54Z\u0026sp=r\u0026__gda__=1441665414_1a6bf18ae80dc665c7f877f53f10d049",
            "Preview": "http://screenshotscontent-t5002.xboxlive.com/000900000284f400-9e8a5803-a495-4a29-b21a-c64602434393/Thumbnail_Large.PNG",
            "Thumbnail": "http://screenshotscontent-t5002.xboxlive.com/000900000284f400-9e8a5803-a495-4a29-b21a-c64602434393/Thumbnail_Small.PNG",
            "Expiration": "2015-09-07T22:36:54.5126079Z",
            "Duration": 0,
            "CaptureTime": "Uploaded 8/5/2015",
            "ViewCount": 4,
            "Views": "4 views",
            "TitleId": 1813362885,
            "TitleName": "FIFA 14",
            "TitleLink": "https://store.xbox.com/en-US/Xbox-One/Games/FIFA-14/f04f7029-01ea-4d65-988b-56f583fb7f6c",
            "OwnerGamerTag": null,
            "OwnerProfile": null,
            "OwnerGamerPic": null
         },
         {  
            "Id": "196aad38-cc91-4760-9beb-fb0c07e0c8a5",
            "Scid": "1b180100-2e72-4297-a9e6-b79d5a9771a4",
            "Name": "",
            "Uri": "http://screenshotscontent-t4002.xboxlive.com/000900000284f400-196aad38-cc91-4760-9beb-fb0c07e0c8a5/Screenshot-Original.png?sv=2014-02-14\u0026sr=c\u0026sig=s9dqA1I%2Bdjv1oTxM%2FmX%2B0tYj8RD2eysCWgp1XAQ6xA4%3D\u0026st=2015-09-07T21%3A31%3A54Z\u0026se=2015-09-07T22%3A36%3A54Z\u0026sp=r\u0026__gda__=1441665414_379050eaf43b062e85d9af7811df2300",
            "Preview": "http://screenshotscontent-t4002.xboxlive.com/000900000284f400-196aad38-cc91-4760-9beb-fb0c07e0c8a5/Thumbnail_Large.PNG",
            "Thumbnail": "http://screenshotscontent-t4002.xboxlive.com/000900000284f400-196aad38-cc91-4760-9beb-fb0c07e0c8a5/Thumbnail_Small.PNG",
            "Expiration": "2015-09-07T22:36:54.5126079Z",
            "Duration": 0,
            "CaptureTime": "Uploaded 5/30/2015",
            "ViewCount": 0,
            "Views": "0 views",
            "TitleId": 1519874468,
            "TitleName": "Forza Horizon 2 Presents Fast & Furious",
            "TitleLink": "https://store.xbox.com/en-US/Xbox-One/Games/Forza-Horizon-2-Presents-Fast-Furious/aaae1849-53dc-453f-8b38-27955610925d",
            "OwnerGamerTag": null,
            "OwnerProfile": null,
            "OwnerGamerPic": null
         }
      ]
   }
}

One interesting thing — there was a "ContinuationToken" that meant clips loaded in batches of 12. If someone had more than 12, you needed this token to get the rest.

https://account.xbox.com/en-us/gameclips/loadByUser?gamerTag=rob%20gabriel&ContinuationToken=token

Reminder you can access the code here. I built some fixtures to allow for valuation and options like so.

So the parameters (Flags) you need to send are the following:

  • Flag: 1 equals all screenshots/videos, 0 equals random screenshot/video.
  • Type: "screenshots" means screenshot, "gameclips" means videos.
  • gamerTag: The Gamer Tag you want to get videos from.
  • width: The width of the Video Player.
  • height: The height of the video player.
  • Number of Videos/images: In case you want to limit it.

Sharing It

About two hours later, I posted it on Reddit in the Rooster Teeth subreddit. It blew up — loads of people were excited about it, sharing it around, and giving feedback. One comment in particular really got the ball rolling.

Then They Shut It Down

About four months later, the JSON endpoints started requiring authentication. My tool stopped working overnight. I can't say for sure it was because of me, but I'd like to think I had something to do with Xbox tightening things up.

The Reddit thread where the Xbox clip tool took off

Looking Back

It was a fun project and a good reminder of what you can find when you're curious enough to poke around. The whole thing — from idea to getting shut down — only took a few months but it's one of my favourite stories.

The code is still up here if you want to have a look.

Share this post:
Published: March 17 2024