2 min read

How a five-year-old hacked his dad's Xbox One, only to be rewarded by Microsoft [VIDEO]

Graham CLULEY

April 05, 2014

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
How a five-year-old hacked his dad's Xbox One, only to be rewarded by Microsoft [VIDEO]

A 5-year-old boy has found a serious and easily exploited security vulnerability in Microsoft’s Xbox One games console, that allows unauthorised parties to log into Xbox Live accounts without the correct password.

Kristoffer Von Hassel wanted to play games that he wasn’t supposed to, but needed to crack into his father’s Xbox Live account to do it.

So, this is what the pint-sized wannabe penetration tester did:

Firstly, Kristoffer would attempt to log into his dad’s account, but would enter an incorrect password into the Xbox Live. That much was easy, after all he didn’t know his father’s password.

But then, at a second verification screen, the youngster discovered that simply entering multiple spaces would grant access to the account.

Now he could access any games he wanted on his parents’ Xbox One, including inappropriate choices such as the violent first-person shooter Call of Duty.

Kristoffer, from Ocean Beach in San Diego, California, clearly loves his video games – but he appears to have a good knack for finding security holes too.

You can see Kristoffer in action in the following news report:

Entering lots of spaces into a password field? Hmm. That sounds like the kind of unusual input (rather like entering no password at all) which should have been tested by Microsoft.

Microsoft has recognised Kristoffer’s responsible disclosure of the security flaw on its website, where his name appears on a long list of other vulnerability researchers who have found flaws in the company’s online services.

In a statement issued by Microsoft, the software giant explained that the security hole was now patched.

“We’re always listening to our customers and thank them for bringing issues to our attention. We take security seriously at Xbox and fixed the issue as soon as we learned about it.”

As a way of a thank you, Microsoft sent Kristoffer four free games, $50, and a year’s subscription to Xbox Live Gold. Wow, Microsoft’s generosity really knows no bounds.

(Mind you, I suppose it’s better than when Yahoo offered researchers a $12.50 t-shirt for finding security flaws on its site).

Although the media has had a lot of fun talking up the “leet” skills of this five-year-old boy, there is a serious point here.

Microsoft has demonstrated that it had weak password security on the Xbox One. In fact, it was literally child’s play to uncover just how sloppy the Seattle engineers had been.

If it was possible for such a simple security flaw to exist in the Xbox One, potentially granting hackers access to Xbox Live accounts, who knows what other Microsoft online systems might also suffer from similar serious issues and offer backdoor access to third parties?

As more and more household devices become connected to the internet, it is essential that vendors treat security as a matter of a priority.

The risk is that manufacturers of internet fridges, home control systems and videogame consoles may not live and breathe security, and expose consumers to threats as a result.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths
Graham CLULEY

September 30, 2022

2 min read
Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials
Silviu STAHIE

September 30, 2022

1 min read
North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find
Silviu STAHIE

September 30, 2022

1 min read