Microsoft accidentally exposed their private Xbox game developer forums
Note: This occurred in 2015 and was published January 31, 2022 as part of the recent Eaton Works website revamp.
Ever since the very beginning of Xbox development there have been private forums hosted by Microsoft where game studio employees can discuss topics with each other and Microsoft Xbox staff. These forums are confidential and no one outside of Microsoft and Microsoft-approved game studios can access them.
In May 2015 Microsoft was working on an updated forum. After Google-searching an error code I was getting on my Xbox One console, I stumbled upon an interesting cloudapp.net (Azure) website result. It was a forum topic from a game developer asking about the same error code.
After looking around the forum, I realized this was the fabled game developer forums. It was a staging site with several years worth of topics imported into a seemingly new design. The forums had no authentication.🚨 All the forum sections could be browsed without getting a login prompt, which was why the site was being indexed/crawled by Google. I also had full access to private forums that were made specifically for AAA studios such as Ubisoft, Bethesda, and Bungie:
Fortunately, there was a support email in the footer of the site. I promptly sent an email describing the issue. I got in touch with the right person and just about 24 hours after I sent the first email, the forums were taken offline. I was very impressed how quickly Microsoft/Xbox addressed the issue.
My report did not qualify for a bug bounty since the website didn’t fall in the list of eligible Microsoft domains. The Microsoft/Xbox staff were very thankful for the responsible disclosure, however.