Finding an Exploit and Annoying the Xbox Dev Team

Introduction

There's something thrilling about tinkering with code late into the night, especially when it leads you down the rabbit hole of discovery—and maybe, just a little, into annoying the folks over at Xbox. This is the tale of how a spontaneous coding project of mine caught the attention of none other than Major Nelson and led to an unexpected conclusion.

The Spark of Inspiration

Picture this: It’s another gaming night for me, my Xbox One humming in the background, with the voices of the Rooster Teeth podcast filling the room. Episode 355 was on, and they were musing over the sharing and viewing of Xbox game clips and screenshots, even those marked private by users. That’s when it hit me—an idea that felt both crazy and brilliant.

Crafting the Tool

For the uninitiated, Xbox One's platform allows players to record game clips and screenshots, a feature I wanted to explore further. Driven by a flash of inspiration, I embarked on creating a JavaScript script and website that would let anyone fetch videos and game clips using just a gamertag. It was an ambitious project that began with a simple question: What if?

Unveiling the Exploit

My quest started on the official Xbox website, where your own game clips and screenshots are accessible. A deep dive into Chrome’s developer tools led me to uncover JSON files that could be loaded without any form of authentication—simply by swapping my gamertag with someone else's. This oversight (or exploit, if you will) was the key to my project.

Here's a glimpse into the JSON file structure:




{

"result":true,

"data":{

"ContinuationToken":null,

"Screenshots":[

{

"Id":"9e8a5803-a495-4a29-b21a-c64602434393",

"Scid":"c4060100-4951-4a51-a630-dce26c15b8c5",

"Name":"",

"Uri":"http://screenshotscontent-t5002.xboxlive.com/000900000284f400-9e8a5803-a495-4a29-b21a-c64602434393/Screenshot-Original.png?sv=2014-02-14\u0026sr=c\u0026sig=K8Tn%2FgFZeSH8hi6porRPNC18RXkIIfveQoKa00D6zp4%3D\u0026st=2015-09-07T21%3A31%3A54Z\u0026se=2015-09-07T22%3A36%3A54Z\u0026sp=r\u0026__gda__=1441665414_1a6bf18ae80dc665c7f877f53f10d049",

"Preview":"http://screenshotscontent-t5002.xboxlive.com/000900000284f400-9e8a5803-a495-4a29-b21a-c64602434393/Thumbnail_Large.PNG",

"Thumbnail":"http://screenshotscontent-t5002.xboxlive.com/000900000284f400-9e8a5803-a495-4a29-b21a-c64602434393/Thumbnail_Small.PNG",

"Expiration":"2015-09-07T22:36:54.5126079Z",

"Duration":0,

"CaptureTime":"Uploaded 8/5/2015",

"ViewCount":4,

"Views":"4 views",

"TitleId":1813362885,

"TitleName":"FIFA 14",

"TitleLink":"https://store.xbox.com/en-US/Xbox-One/Games/FIFA-14/f04f7029-01ea-4d65-988b-56f583fb7f6c",

"OwnerGamerTag":null,

"OwnerProfile":null,

"OwnerGamerPic":null

},

{

"Id":"196aad38-cc91-4760-9beb-fb0c07e0c8a5",

"Scid":"1b180100-2e72-4297-a9e6-b79d5a9771a4",

"Name":"",

"Uri":"http://screenshotscontent-t4002.xboxlive.com/000900000284f400-196aad38-cc91-4760-9beb-fb0c07e0c8a5/Screenshot-Original.png?sv=2014-02-14\u0026sr=c\u0026sig=s9dqA1I%2Bdjv1oTxM%2FmX%2B0tYj8RD2eysCWgp1XAQ6xA4%3D\u0026st=2015-09-07T21%3A31%3A54Z\u0026se=2015-09-07T22%3A36%3A54Z\u0026sp=r\u0026__gda__=1441665414_379050eaf43b062e85d9af7811df2300",

"Preview":"http://screenshotscontent-t4002.xboxlive.com/000900000284f400-196aad38-cc91-4760-9beb-fb0c07e0c8a5/Thumbnail_Large.PNG",

"Thumbnail":"http://screenshotscontent-t4002.xboxlive.com/000900000284f400-196aad38-cc91-4760-9beb-fb0c07e0c8a5/Thumbnail_Small.PNG",

"Expiration":"2015-09-07T22:36:54.5126079Z",

"Duration":0,

"CaptureTime":"Uploaded 5/30/2015",

"ViewCount":0,

"Views":"0 views",

"TitleId":1519874468,

"TitleName":"Forza Horizon 2 Presents Fast \u0026 Furious",

"TitleLink":"https://store.xbox.com/en-US/Xbox-One/Games/Forza-Horizon-2-Presents-Fast-Furious/aaae1849-53dc-453f-8b38-27955610925d",

"OwnerGamerTag":null,

"OwnerProfile":null,

"OwnerGamerPic":null

}

]

}

}

A fascinating find was the "ContinuationToken," dictating that clips and screenshots load in batches of 12. This meant if a user had more than 12 items, you’d need this token to fetch the rest.

https://account.xbox.com/en-us/gameclips/loadByUser?gamerTag=rob%20gabriel&ContinuationToken=token

Reminder you can access the code here. I built some fixtures to allow for valuation and options like so.

So the paratmars (Flags) you need to send are the following

Flag : 1 equals all screenshots/videos, 0 equals random screenshot/video.
Type : screenshots means screenshot. gameclips means videos
gamerTag : The Gamer Tag you want to get videos from.
width : The width of the Video Player.
height : The height of the video player.
Number of Videos/images : Incase you want to limit it.

The Launch and Its Legacy

Merely two hours and a burst of coding frenzy later, I shared my creation on Reddit, targeting Rooster Teeth enthusiasts. The community's reaction was nothing short of spectacular, filled with enthusiasm, feedback, and a fair share of shares. Yet, it was one particular comment that escalated my project from a fun tool to a spotlight-stealing sensation.

An Unforeseen Twist

About four months post-launch, my access was cut off. The once open JSON files now required authorization, rendering my project inoperative. Whether my late-night coding caper was the catalyst for this change, I like to think it played a part in tightening Xbox's security measures—a mixed badge of honor, really.

What's in my bag

Reflections and Where to Find the Code

This journey, though it reached an abrupt end, was a profound reminder of the power of curiosity, coding, and community. The entire adventure, from inception to its unforeseen conclusion, is a story I cherish deeply.

For those intrigued by the technical side or simply curious, the code remains available here, alongside a demo site for a glimpse into what was. For more tales of coding exploits and digital explorations, follow my adventures on Twitter