Microsoft Rewards Five-Year-Old Who Broke Into Father's Xbox One

April 4, 2014 - GamePolitics Staff

San Diego's KGTV has a cool profile of Kristoffer Von Hassel, a five-year-old who discovered a security hole in the Xbox One account login. Kristoffer accidently managed to log in to his father's Xbox One account without knowing the password, according to the news station. He did this simply by entering spaces into the password prompt after failing to punch the right password in the first time.

A five-year-old boy who managed to accidentally hack into his father's Xbox One account has received gifts and an official thank you from Microsoft for helping the company discover the security hole. His father Robert Davies is, interestingly enough, a security researcher. Shortly after Christmas he verified the exploit, recorded it and sent the video to Microsoft. Microsoft later patched the vulnerability out.

Microsoft was grateful, and rewarded Von Hassel (and his dad) by officially acknowledging him a Microsoft Security Researcher for March 2014, giving him $50, four Xbox One games, and a year of Xbox Live Gold.

"We're always listening to our customers and thank them for bringing issues to our attention," Microsoft said in a statement. "We take security seriously at Xbox and fixed the issue as soon as we learned about it."

Source: Ars Technica


Comments

Re: Microsoft Rewards Five-Year-Old Who Broke Into Father's ...

What I don't get, is how can that kind of exploit exist without it being intentional (such as being a left over code during development)

╔╦═╣Signature Statement╠═╦╗

If you don't like something I said in a post, don't just hit the dislike, let me know your thoughts! I'm interested in knowing everyone's opinions, even when they don't mesh with my own.

Re: Microsoft Rewards Five-Year-Old Who Broke Into Father's ...

It's not hard to mess up authentication or even more basic stuff like string handling.

Re: Microsoft Rewards Five-Year-Old Who Broke Into Father's ...

Except the Space has it's own unique character ID, as do every other letter, capital and lower case. From a computer logic standpoint this kind of broken setup meant either it was purposefully setup, or it wasn't limited to space characters.

Basically what I'm saying is, it's highly unlikely for just "spaces" to have been an accident unless entering other characters could produce the same result, like all As

╔╦═╣Signature Statement╠═╦╗

If you don't like something I said in a post, don't just hit the dislike, let me know your thoughts! I'm interested in knowing everyone's opinions, even when they don't mesh with my own.

Re: Microsoft Rewards Five-Year-Old Who Broke Into Father's ...

Or, if the auth was *really* naive (i.e.: strip whitespaces, compare for characters not matching the second string *without* a length test, something people actually used to do >.> )

Re: Microsoft Rewards Five-Year-Old Who Broke Into Father's ...

I don't get it. Why is this kid not being charged under the CFAA and being threatened with 35 years in prison? Is the DOJ getting lazy on the job?

Re: Microsoft Rewards Five-Year-Old Who Broke Into Father's ...

It would be bad PR.

Re: Microsoft Rewards Five-Year-Old Who Broke Into Father's ...

The kid would have to be 14 years old at least before they could even begin to consider trying to charge them as an adult, because there is just no fun in doing it otherwise. </sarcasm>

╔╦═╣Signature Statement╠═╦╗

If you don't like something I said in a post, don't just hit the dislike, let me know your thoughts! I'm interested in knowing everyone's opinions, even when they don't mesh with my own.

 
Forgot your password?
Username :
Password :

Poll

Will we ever get Half-Life 3?:
 

Be Heard - Contact Your Politician