2 min read

How a five-year-old hacked his dad's Xbox One, only to be rewarded by Microsoft [VIDEO]

Graham CLULEY

April 05, 2014

How a five-year-old hacked his dad's Xbox One, only to be rewarded by Microsoft [VIDEO]

A 5-year-old boy has found a serious and easily exploited security vulnerability in Microsoft’s Xbox One games console, that allows unauthorised parties to log into Xbox Live accounts without the correct password.

Kristoffer Von Hassel wanted to play games that he wasn’t supposed to, but needed to crack into his father’s Xbox Live account to do it.

So, this is what the pint-sized wannabe penetration tester did:

Firstly, Kristoffer would attempt to log into his dad’s account, but would enter an incorrect password into the Xbox Live. That much was easy, after all he didn’t know his father’s password.

But then, at a second verification screen, the youngster discovered that simply entering multiple spaces would grant access to the account.

Now he could access any games he wanted on his parents’ Xbox One, including inappropriate choices such as the violent first-person shooter Call of Duty.

Kristoffer, from Ocean Beach in San Diego, California, clearly loves his video games – but he appears to have a good knack for finding security holes too.

You can see Kristoffer in action in the following news report:

Entering lots of spaces into a password field? Hmm. That sounds like the kind of unusual input (rather like entering no password at all) which should have been tested by Microsoft.

Microsoft has recognised Kristoffer’s responsible disclosure of the security flaw on its website, where his name appears on a long list of other vulnerability researchers who have found flaws in the company’s online services.

In a statement issued by Microsoft, the software giant explained that the security hole was now patched.

“We’re always listening to our customers and thank them for bringing issues to our attention. We take security seriously at Xbox and fixed the issue as soon as we learned about it.”

As a way of a thank you, Microsoft sent Kristoffer four free games, $50, and a year’s subscription to Xbox Live Gold. Wow, Microsoft’s generosity really knows no bounds.

(Mind you, I suppose it’s better than when Yahoo offered researchers a $12.50 t-shirt for finding security flaws on its site).

Although the media has had a lot of fun talking up the “leet” skills of this five-year-old boy, there is a serious point here.

Microsoft has demonstrated that it had weak password security on the Xbox One. In fact, it was literally child’s play to uncover just how sloppy the Seattle engineers had been.

If it was possible for such a simple security flaw to exist in the Xbox One, potentially granting hackers access to Xbox Live accounts, who knows what other Microsoft online systems might also suffer from similar serious issues and offer backdoor access to third parties?

As more and more household devices become connected to the internet, it is essential that vendors treat security as a matter of a priority.

The risk is that manufacturers of internet fridges, home control systems and videogame consoles may not live and breathe security, and expose consumers to threats as a result.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read