Five-Year Old Boy Exposes Xbox One Security Flaw

 Pages 1 2 NEXT
 

Five-Year Old Boy Exposes Xbox One Security Flaw

Xbox One console

Kristoffer Von Hassel, of San Diego, just had to enter in a wrong password and then a series of empty spaces to find a backdoor into his dad's Xbox profile.

Ah, to be five years old again. Life was simpler then, only worrying about kindergarten, Saturday morning cartoons and regularly breaching security systems on high-end electronics.

At least, that's the case for Kristoffer Von Hassel, who found a backdoor into his dad's Xbox One account that let him completely bypass parental controls. It was around Christmas that his parents noticed he was logging onto Xbox Live and playing games he wasn't supposed to have access to.

When asked by his dad how he did it, Kristoffer excitedly showed him that if he input an incorrect answer into the Xbox One's password screen it would take him to a second password verification screen. Once there, all Kristoffer had to do was input a series of blank spaces and he had full control of the console.

"I was like yea!" the boy told local news station ABC 10 News.

Kristoffer said he was nervous at first, afraid his parents would find out about his youthful hacking. His dad, who works in computer security, was anything but mad about his son's discovery. "How awesome is that!" father Robert Davies told ABC 10. "Just being 5 years old and being able to find a vulnerability and latch onto that. I thought that was pretty cool."

Kristoffer's family brought the bug's attention to Microsoft, which has since fixed the problem and actually gave Kristoffer a credit on their website as a security researcher. "We're always listening to our customers and thank them for bringing issues to our attention. We take security seriously at Xbox and fixed the issue as soon as we learned about it," said Microsoft in a statement to ABC 10. They even gave Kristoffer several free games, a year's subscription to Xbox Live and $50.

While its an impressive feat for any child, Kristoffer's hacking experience apparently started much earlier. His father recounts that when he was only one, Kristoffer learned that he could bypass the toddler lock on a cell phone by holding down the home key.

Source: ABC 10 News

Permalink

This kid is going places. He also has a really cool dad.

This is why everyone needs to arm themselves with a 5-year-old when Skynet rises and this is why Microsoft really need to reconsider thier recruitment methods.

I remember reading about this last night. That back door was quite a big one when you think about it, and now all the kids who managed to find it, if they did, will probably be pissed off at Kristoffer because they can't use it anymore. XD

As for the dad, he is a plain awesome dad that's for sure.

This is gonna be a movie someday. Probably one featuring sub-par child acting and decent SFX. Probably they'll make the kid autistic to suit audience prejudices and decrease the need for a skilled 5-year-old actor.

I give him about a year before he's recruited by the NSA.

Well at least Microsoft will be able to save some money by hiring five year olds instead of whoever currently does their security testing. You could just pay them with Pokémon cards or something.

Clearly Microsoft has never read the evil overlord list, had they done so they would have had a five year old child in house to test their security measures and point out all the flaws in their plans. Microsoft should probably hire the kid, that way they might stop making really stupid mistakes eg. Windows 8, Xbox One DRM policies, and making Xbox One security that easy to bypass.

Getting hacked by a five year old.

I guess MS will be the laughing stock of the industry for the next weeks...

It never fails - EVERY time the XBone makes a new headline, it's one more reason not to buy the damned thing!

"high-end electronics"? Hah. All three were made to be cheap with the only major focus desired by the top execs was the anti-piracy security.

More OT:

Brian Tams:
I give him about a year before he's recruited by the NSA.

I'd bet his entire extended family probably has more taps on them now that they know he's hacking before grade school and his father works in computer security. They're paranoid enough to turn eyes away from real threats.

This is actually kind of depressing when you think about it, microsoft is one of the largest companies on the planet and they can't even program a decent parental lock.

TiberiusEsuriens:
This kid is going places. He also has a really cool dad.

Yea... imagine him at 10...

Queen Michael:
This is gonna be a movie someday. Probably one featuring sub-par child acting and decent SFX. Probably they'll make the kid autistic to suit audience prejudices and decrease the need for a skilled 5-year-old actor.

It already is! It's called Mercury Rising - the story of an autistic savant kid who bypasses an NSA cryptographic code, so a bounty is placed on his head.

It's awful.

Brian Tams:
I give him about a year before he's recruited by the NSA.

Or he's clipped by the NSA.

themilo504:
This is actually kind of depressing when you think about it, microsoft is one of the largest companies on the planet and they can't even program a decent parental lock.

Not really. They did make Internet Explorer afterall, which has remained relevant solely on the fact that they (being Microsoft) can push and hammer others to keep themselves in use.

Brian Tams:
I give him about a year before he's recruited by the NSA.

"I was like YEAH!! Your eewhales are mwine andwea merkall..." ::giggles madly::

That's... A big flaw, even for Microsoft.

CriticalMiss:
Well at least Microsoft will be able to save some money by hiring five year olds instead of whoever currently does their security testing. You could just pay them with Pokémon cards or something.

And top it all off, they'd probably be more effective than the current staff.

All things considered, this kid is either really lucky or has quite the eye for technology at his age. It'd be disappointing if this was the last we heard of him.

Uh guys? Way to bury the lead...
The correct title should read "Real World Supervillain gets Origin Story!"

Hack the planet!!

Seriously. Didn't they read the evil overlord list?

#12: One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation.

Seriously, Microsoft, one'd think that you'd account for situations like this.

I like the fact that Microsoft awarded the kid with all that stuff. That's some pretty good motivation for a kid to pursue a career in something technology related and to start soon.

I've read the evil overlord list and I agree with those saying Microsoft should have read it. That's a pretty massive flaw for noone to have noticed beforehand. Still, at the end of the day they admitted they goofed up and rewarded the kid, so credit where it's due.

Also, that kid's dad is awesome.

wait.... really? A series of empty spaces is all it takes to hack past the parental control? How did they not pick up on that way back when they were still testing the thing?

this must have been quite a serious security flaw if they gave him several games and credit

or maybe Microsoft were being generous?

Not wishing to be "that guy" but the fact that the kid's father is a computer security expert makes me think this story might have been made up i.e. the Dad found the flaw and came up with the story to illustrate how glaring the flaw really is and to make the story more newsworthy and entertaining.

It's perfectly likely that the story as presented is a true account though. Besides, the anecdote isn't really that important in the larger issue of the childishly shit security so who cares?

Oh come on I already had to poke Microsoft over the frame rate comic Critical Miss did... but if you insist. The new captain at the helm of HMS Titanic, I mean everything Xbox just cannot miss those icebergs he's got his work cut out they just keep turning up those bad calls every week.

But seriously this console is a cluster fuck of bad calls and I really hope they start getting more positives soon(mostly for my poor flat mate who really is a bitch to Microsoft and besides Titanfall hasn't really used the machine or spoke positively about it much at all).

Riotguards:
this must have been quite a serious security flaw if they gave him several games and credit

or maybe Microsoft were being generous?

It ways maybe a couple hundred dollars worth of stuff retail (including the cash), and likely less wholesale. Considering how much more you would have had to pay someone professional to do something like this it's probably just some cheap good publicity for Microsoft.

Not that I'm trying to discredit Microsoft; it was a wonderful thing to do to reward someone like that for unsolicited contributions tot he quality of your product, and it probably made sure that this kid is going to be a world-class computer security consultant in his future. It's just not really a particularly large expense all things considered.

I remember I broke into a Brinks safe when I was twelve. Maybe my skills have grown too, brb.

Chaosritter:
Getting hacked by a five year old.

I guess MS will be the laughing stock of the industry for the next weeks...

This.

How the actual fuck did an oversight like THIS go uncorrected?

Funny.

Guess this is another reason why I'm not getting the Xbox One...

This reminds me of the Evil Overlord Rule number 12:

One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation.

MS is clearly needing to expand their recruiting pool.

Apparently Microsoft missed that rule for Evil Overlords. Always let a child look at your plans to find the obvious security flaws.

This kid just might be going places.
image
But yeah this is a pretty big flaw in their parental control system.

So, Microsoft should be hiring 8 year olds with accidental access to their parents' bank accounts in order to do their testing?

...I'd feel angry for some weird reason, but I'm too busy laughing.

 Pages 1 2 NEXT

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Registered for a free account here