Five year old exposes Xbox One security flaw

[Lady Lilith]

http://kotaku.com/five-year-old-boy-exposes-xbox-security-flaw-1558183736

 

 

 

Meet Microsoft's newest security researcher: Kristoffer Von Hassel. He lives in San Diego. He loves video games. And he's five years old.P

He's also a better hacker than any of us. Von Hassel cracked into his dad's Xbox One account by finding a backdoor in the password verification screen, as ABC 10 reports. He entered the wrong password, hit space a few times, and somehow found himself with access to a treasure trove of video games he wasn't supposed to play. Kids these days, am I right?

Von Hassel and his dad reported the issue to Microsoft, and the folks at Xbox not only fixed the issue, but added him to their acknowledgement list as an official Security Researcher. He also gets four free games, $50, and a year-long subscription to Xbox Live.

 

Well, Microsoft always has had shitty manufacturing.  Now I guess we can say shitty software design too.  Who designs an account system where literally a 5 year old can get in via hitting space a few times after entering the wrong password?

[Dr_Mayus]

Holy shit xbox controllers are huge

[xNikolai01]

hahaha, frekin' genius 

[ProGamerX56]

No genius, imagine what actual hackers could do with this exploit. They could rob Microsoft for all they are worth. I've always hated Xbox, but this takes it to da next level!

[TheVader66]

I bet Microsoft got really pissed hearing that a 5 year old boy found a potentially dire security flaw, the guy in charge of security is so fired.

Edited April 5, 2014 by TheVader66

[Fawazc98]

A five year old kid can break your Xbox one password am I hallucinating lol? 

[ProGamerX56]

As I said, if a 5 year old can crack it, then either the kid is a fucking Genius or it was so easy to crack [which it is apparent here]. I have means to believe the Xbone was rushed out of the door. Xbox One needed more time before they went out of the door, and as they retooled the OS after the mass was flashed, that is just a fail.

[closertim]

If this is true, how did it take so long to find out?

[Parker]

At least Microsoft were made aware of the issue and fixed it before people got screwed out of their accounts and potentially hundreds or thousands of dollars. 

 

 

Parker

[Goekie]

Holy shit xbox controllers are huge

 

They used to be a lot bigger and heavier

[BooneJusticius]

There's some information missing from this story. There are 2 ways to access an account on Xbox One, first being when you initially add it to a console and second being when you go to sign in after it's been added. What's missing, and this is missing from every version of the story I've seen, did the vulnerability work on both instances or just one? It's obvious from the story that it worked in the second case of accessing an account, where it's already on the console. It's never mentioned if it worked in the first method. You do not get that particular screen when adding an account to a console, the one in the story where it shows the email address. If it only worked when the account is already on the console then people are really making a much bigger deal out of this than it really is since for anyone to actually use that vulnerability they would have to already know the password in order to be able to put a person's account on their console in the first place just so they can exploit the vulnerability.

[acasser]

One of the first rules of being a good supervillain -- that's "good at your job" and not "good on a morality scale of Good/Evil" -- is that you hire a couple of kids that age to be assistants.  You use them as troubleshooters and scrap any ideas and the like that they can find flaws in.

 

Clearly, Microsoft isn't a very good Supervillain.

[damon8r351]

Oh, THIS was why my wife was laughing her ass off last night and trying to tell me Microsoft got hacked by a 5 year old.

[razizo41]

maybe this exploit was caused by removing drm? anyway glad to see they fixed it but it is still funny how a 5 year old hacked in to their system and there's a possibility that this wasn't the first time this exploit was used but it was the first time someone reported it maybe! kids might got a bright future

[Dr_Mayus]

They used to be a lot bigger and heavier

[Goekie]

I remember when they first brought out the 'slim' version of the Xbox 1 controller, after only like 2 or 3 months or so since it released they offered everyone who had a fat controller to trade it in for a slim and you'd even get a free game as compensation for your troubles, that's how huge it was, hilarious!

 

On topic: From a company that originally developes software for computers, this does look very amateuristic sheesh

[closertim]

4 games, $50 and a year subscription to live.... Is that the going rate for saving your security?

[c0ldbludedkillah]

LMAO

[Starrk_01]

I wonder how old the people were that hacked the PSN a few years ago?

 

Guarantee they weren't five  

[Wolvie_181]

Why should anyone be surprised by this?

This is coming from a company that makes hackable PC software

[lporiginalg]

Blows my mind such a sad security flaw could exist.

[ZombeeJoggernaut]

No wonder Anonymous hacked PSN rather than XBLA. They wanted a challenge.

[ProGamerX56]

Anonymous hacked ps3 because Sony didnt allow them to jailbrrak, but rofl.

[BooneJusticius]

Here's a couple interesting reads that shows that someone, most likely the father with the assistance of the media, is intentionally trying to make Microsoft look bad by exaggerating the problem and using clever editing, a misrepresentation of facts as well as leaving out certain facts to cover up what this story really is, a PR stunt for the company the father works for. Microsoft just demoed how Azure can work with gaming this past week and suddenly this story comes out, a story about a kid with a father who used to work at Sony and now just so happens to work at a company that is an Azure competitor as well? That's not just coincidence.

 

The links indicate an intentional exaggeration of the problem as it's not an actual account hack but a parental control bypass, very different, as well as some information on the father. The first link also includes information from MSRC (Microsoft Security Response Center) that states the payout is in line with a parental control bypass "hacK" and not an actual major security hack like is being reported as if it was an actual account hack the payout would be more like $11,000.

 

http://www.ign.com/blogs/headpirate/2014/04/05/did-a-5-year-old-really-hack-the-xbox-one

 

http://www.linkedin.com/pub/robert-davies/5/302/B17

Edited April 6, 2014 by BooneJusticius