Five-year-old discovers Xbox Live security vulnerability

[Shawn Knight]

Each month, Microsoft recognizes security researchers that help make their online services safer by finding and reporting security vulnerabilities. The March 2014 list is seemingly no different than any other… that is, until you learn that a five-year-old is among those being acknowledged.

Shortly after the Xbox One launched late last year, the parents of five-year-old Kristoffer Von Hassel noticed he was somehow logging into his father’s Xbox Live account and playing games he shouldn’t have been. When confronted by his father, Kristoffer spilled the beans and showed his proud papa exactly how he did it.

After typing in the wrong password for the account one day, Kristoffer was presented with a secondary verification prompt. Apparently by entering only blank spaces then pressing enter, he gained access to the account.

The father and son team reported the flaw to Microsoft. It has since been patched and Kristoffer received four Xbox One games, $50 and a year’s subscription to Xbox Live from the Redmond-based company for his efforts.

In a statement on the matter, Microsoft said they’re always listening to customers and thank them for bringing issues to their attention. The message further reads that they take security seriously and fixed the issue as soon as it was brought to their attention.

This isn’t the first time that the youngster has uncovered vulnerabilities. According to his father, he managed to circumvent the toddler lock screen on a smartphone simply holding down the home button – at age 1.

Permalink to story.

https://www.techspot.com/news/56270-five-year-old-discovers-xbox-live-security-vulnerability.html

 

[amstech]

"In a statement on the matter, Microsoft said they’re always listening to customers"

Statements are words and words are meaningless, only their actions prove/display their intent. Not hating on them they have improved on this front, but still have a long way to go before I am going to believe "they always listen to their customers" while they still shove products and fee's down your throat.

 

[Jad Chaar]

Wow this is a serious vulnerability... good they fixed it.

Props to that 5 year old.

 

[RzmmDX]

A brute force attack would never have anticipated blank spaces.

 

[wastedkill]

Is it me or am I the only one thinking tons of people found this out ages ago but wanted to abuse it then this kid told his dad and thats the only reason it got fixed... props for the kid and his dad but tbh I highly doubt this kid was the only person that found this....

 

[Guest]

Wow, how generous of MS, NOT!

They should have given him LIFETIME online access, 20+ games and a GOLDEN CONTROLLER.

Shame on you MS. Scumbags.

 

[cliffordcooley]

Shame on you MS. Scumbags.

+1

MS is so incompetent, a 5 year old can get passed their security measures. And when proven how incompetent they really are, this is how they reward. They should have docked their entire security development department a full weeks pay and given it to this kid.

 

[gamoniac]

"In a statement on the matter, Microsoft said they’re always listening to customers"
Statements are words and words are meaningless...

As in the words we are typing and statements we are commenting on the Internet, I guess?

 

[Skidmarksdeluxe]

Maybe MS should get rid of Nadella and offer the job to that kid instead, they can also pay him far less.

 

[Per Hansson]

I'm pretty amazed by how a security vulnerability like this can even exist?

 

[Puiu]

How does that even work? it's basic programming to check what he writes there. did they put only incompetent people to work on this next gen xbox?

 

[MilwaukeeMike]

I'm pretty amazed by how a security vulnerability like this can even exist?

it's called Security by Obscurity - basically the idea is that there's a wide open door in, you just don't know where it is. Back when windows 98 was the operating system you could install it and Office products by using the serial number 11111-1111-111-1111. (Just hold down 1 and let it fill in). It's a method for testers to install the product easily without having to type in a serial number each time. It works fine until someone figures it out.

 

[Guest]

But seriously, they would never do that, its a company

 

[Guest]

Wow, how generous of MS, NOT!

They should have given him LIFETIME online access, 20+ games and a GOLDEN CONTROLLER.

Shame on you MS. Scumbags.

That won't happen. because what if he gets banned? no point.

 

[Nobina]

50 dollars prize? hahaha...