ToastMyConsole was a Xbox One SystemOS remote code execution, using modified Xbox Live messages that appeared as system alerts from the "Xbox Live profile", and the XDashLauncher WinJS UWP app, which, as a inbox app, ran with little UWP sandboxing. Promotion messages from Xbox Live, such as a gift card or sales offer, often included a button that used a deeplink to trigger the MS store and provide a FiveXFive code. By modifying this button's deeplink, it was possible to trigger the launch of instead XDashLauncher, which when passed with our customized WinJS, granted between user and SYSTEM level control. The cherry on top was that, at the time, Live didn't check the message's sender XUID variable, against the profile's XUID, allowing one to craft and send a message as XUID 0, aka the Xbox Live Service Profile. This would cause the proper system toast when a user recieved the spoof message.
From there, a simple PoC worm was developed. The general idea was to send an infected message to everyone on my friends' group, who would then have their accounts infected, and send the same message to allow the friends on their lists. The malicious WinJS code would then extract both the XSTS User and Device tokens from each console, sending off to a server for collection.
The real danger comes in however, once an employee account is infected and their tokens stolen. AS tokens bypass 2fa, this would quickly lead to a greater compromise of Xbox Live and Microsoft. Under MSRC's bug bounty policies posted on their website, a Windows RCE is owed $1 Million in payout, but I never recieved a dime despite full and immediate cooperation.
Infact, Microsoft themselves told me that if I had actually set the worm loose, they were estimating a resulting 4 BILLION in damages due to compromised employees, possible leaked PII from customers, etc. I was told, they would have shuttered the Xbox brand, rather than deal with the fallout, given Xbox counts as 1% of their profits anyways.