Slashdot Mirror
Five-Year-Old Uncovers Xbox One Login Flaw
New submitter Smiffa2001 writes: "The BBC reports that five-year-old Kristoffer Von Hassel from San Diego has uncovered a (frankly embarrassing) security flaw within the Xbox One login screen. Apparently by entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account. Young Kristoffer's dad submitted the flaw to Microsoft — who have patched the flaw — and have generously provided four free games, $50, a year-long subscription to Xbox Live and an entry on their list of Security Researcher Acknowledgments."
What does that come out to, about $300 for a severe bug? I thought Microsoft just paid out $100k for a Windows 8 flaw.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
Who takes shortcuts for code when you're developing a damned password entry system? I mean... really? When the sole purpose of the code is security, who goes "oh, whatever, we'll just match against whatever?"
I mean, it's not like hashing or string comparison are hard problems.
xbone, yeah!
Hello. What's the weather like in 1998?
OK, So they have learned about Jack in these last 16 years... but they are still having some trouble with Shit.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
The account security is not important. The facial recognition logging who was in the room at what times and storing it in a coded blackbox style log is what's important. User account security is not significant. We are not the customers
Cloudiot: A person who does not see offsite storage as a way to lose control over access to his or her own data.
You'd be surprised. There's a LOT of bad security out there. Something this bad really takes the cake though.
It doesn't mean much now, it's built for the future.
Why is this criminal being celebrated rather than prosecuted for hacking into a protected computer system across state lines? The child is A FELON and must go to jail. The father acted as an accessory and should also be prosecuted.
Balmy and less authoritarian.
The only reason this would be remotely relevant, funny or even smirkworthy would be if it was 10 years ago and you had in fact succeeded at being the first to post. The jokes over man. And you just lost the game. HA!
sudo apt-get install sl && sl
New marketing campaign for Xbox One. 'So simple a 5 year old can hack it.'
Works for logging into Windows 8.1 also....
I bet every undergraduate CS Department in the country will want him. :p
"Sum Ergo Cogito"
This might have been a simple to find bug but that's exactly why it would have been so damaging. They could at least give the kid a permanent XBox Live subscription. He would have effectively had one if he hadn't disclosed the bug.
Yeah, are you sick of that story of the Indian kid who got his CISSP at the age of 12? Well, here's a 5 year old with a published vulnerability!
I'm sure the reason the reward was so paltry was because the rest of the reward went to cleaning the development team's underwear.
-- Sometimes you have to turn the lights off in order to see.
I means what kind of code can allow a space password to be approved... the MD5 didn't surely checked... oh wait... another buffer overflow because the length of the password that too big? Why the space? It is a like a backdoor the developer forgot to removed?
The irony is that your response is equally archaic.
I just simply have to click the cancel button and I get logged right in. You'd think by now M$ would have patched this idiocy. And added USB 2.0 support at the least.
I'm going back to duel booting my linux kernel and browsing with lynx. Fagogts.
I don't know who could get this wrong or how you could get this wrong.
Does it work if you have the same number of characters?
len(input) == len(password)?
or?
input == password OR (len(input) == len(password) AND string_is_all_spaces(input))
You'd really have to go out of your way in a most bizarre manner to screw this up. I mean, this is like tell someone to make an omelette and they accidentally build a time-machine. What the heck were they doing here??
They're the people who invented "press cancel to log in" for windows 95.
I wonder...
Either this is some developer/tester login thing.
Or the developer did something weird were he removed whitespace, and a "correct" match was found when the manipulated/tested string was length 0.
Troll is not a replacement for I disagree.
You'd be surprised. There's a LOT of bad security out there.
Understatement of the day.
Some people would be shocked if they knew how many retailers offering free wifi don't change their router's login from default. I know I always am.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
>The irony is that your response is equally archaic.
The irony is that you're pointing this out to prove you can correctly identify irony, because you were unsure of yourself until now.
>Navy seal pasta
Thanks for posting this, so I didn't have to go find it.
Gotta love AC's.
sudo apt-get install sl && sl
Switch to decaf.
Which makes me appreciate all the thought that Slashdot put into its security. For example, did you know if you accidentally type your own password into a comment, it stars it out for you? Example:
***********
Neat, huh?
Dark Reflection
-NSA
... the matching algo checks for zero length strings *before* it strips out whitespace so lets this through. Once it has stripped out this whitespace it *then* has a zero length string but doesn't know it and then the rest of the algo fails due to it.
I'll bet it something stupid like:
hashed_pwd = strip(input_pwd);
for(*ptr = hashed_pwd;*ptr;++ptr) // Match
{
if (hash char doesnt match) return BAD;
}
return MATCH;
Actually, it says Hunter2 for me...
Peter predicted that you would "deliberately forget" creation 2000 years ago...
Are you sure? My password is: hunter2.
Typical Microsoft security... :(
Peter predicted that you would "deliberately forget" creation 2000 years ago...
Reminds me of that stupid urban legend about entering your pin at an ATM when under duress.. entering it backwards summons ze police.
"guerilla" not gorilla FTFY
Apparently by entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account.
That's interesting. Let's speculate a bit about the bug.
Do you have any theories how the login part of the Xbox One software was programmed which caused it to behave like that?
They're the people who invented "press cancel to log in" for windows 95.
Which was fine. Win95 was intended as a single-user system with no local security. That login screen was for using network resources, and was irrelevant for local access.
And if you don't encrypt your drives, your modern OS is no more secure than Win95 to someone with physical access.
Socialism: a lie told by totalitarians and believed by fools.
Is that you posting AC again President Obama?
It almost has to be a deliberate backdoor for testing that someone forgot to take out. I can't imagine "Trim()ing as password. But then I couldn't have believed anyone would smash case on a password before I heard Blizzard did it. I guess there's nothing so stupid that we should rule it out.
Socialism: a lie told by totalitarians and believed by fools.
Fortunately the 5 years olds are easily bribed by a few games and an ice cream before they try to hack something more dangerous.
This sort of issue really instills a lot of confidence in the quality of that system *facepalm*.
What if your pin is a palindrome?
"No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
Reminds me of that stupid urban legend about entering your pin at an ATM when under duress.. entering it backwards summons ze police.
What if your PIN is a palindrome?
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Balmy and less authoritarian.
Balmer, and less authoritarian.
There, FTFY.
They probably trim whitespaces from passwords, and so they tried to compare an empty string to the hash and probably missed an error catching bug there..
More like: input == password or re.match('^ +$', input)
"No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
But this is not a keyboard/computer password. Allowances are made for less effective input devices. If extra spaces are a common problem when using Xbox text input, no one would think twice about it. Also, it is possible they just did not allow whitespace in a password, so instead of a warning they just removed it at creation and use (so it would work even if they thought your password has a space in it).
Troll is not a replacement for I disagree.
The 5 year old didn't find this out, the father did. He's just using his 5 year old to get attention.
Posting anonymous because I'm still afraid that pepsi goons will break down my door any minute now.
Quite a few years ago, I found that sombody had shown my preschooler that you could enter code numbers from inside the caps of pepsi products to get "free" merch.
He just started entering random numbers and characters until he found a pattern that worked every time. He thought that was the point! He spent hours at it and then proudly showed me that he'd "solved the puzzle" and Pepsi was going to send him truckloads of free stuff.
I quickly popped through a couple DHCPs on the cable modem and told him not to do that anymore.
It's not that hard to do.
Basically could be
a) debug code for QA left in to bypass login
b) buffer overflow (off by one); and an exception thrown that was caught outside the password system; that exited back to the main run-time. ... rarely tested by QA.
Testing that your code can actually handle the maximum number of characters allowable by the input field, is
I've personally crashed websites that don't restrcit the form input length on the password field. Apparently putting in 4096 character passers does tend to cause issues on -many- sites.
c) Other logic errors:
You explicitly forbid empty password from entry.
Some process internally does a trim($b)
Password process throws an unhandled exception case due to using an empty string; or null value returned from the password hashing; validation, oro assocated sub layer.
Maximum length exceeded (-1) combined with a trimmed length of 0; can cause issues if an assumption of "the password cannot be empty at this point" was inadertantly violated.
You code each layer with the assumption of where the data came from, and whether it's been validated or rejected at a higher layer. Something slipping by causes lots of strange, and subtle bugs.
How in God's green tarnation does somebody manage to produce a bug like that?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I love the sound of little fists vainly slapping bare chests in an attempt to look tough. Unless it was humor, then it's simply too long.
I guess their team of advisors is incomplete:
http://www.eviloverlord.com/li...
"12. One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation."
And:
"60. My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords."
Perhaps Microsoft doesn't consider itself evil? Lots of people no longer do. At least they followed rule 32 in this case.
Look, I know that /. sometimes posts stories that are one or two years old, but the XBone did not even exist in 1998. So to accuse someone of living in the past, when their comment is reflecting an action this year, seems a little absurd.
You have that backwards. M$ has always known about shit. Just look at their products.
All of which would be bugfuck insane from a security perspective, but after Bliz admitting their password are case insensitive, I'll believe anything.
Socialism: a lie told by totalitarians and believed by fools.
I bet it's due to a single equals sign.
if (password_retry = account_password) {...
my, your, his/her/its, our, your, their
I'm, you're, he's/she's/it's, we're, you're, they're
We adults are so trained to follow the login instructions that no adult would even attempt to put in a bad password and spaces in the next field - doing that fails on every other computer system. If it were a bad password and nothing entered in the next field, then yes, I'd doubt the story. But spaces?
It takes a kid who doesn't know any better.
So, I beleive the story.
But it only happens on the second attempt. That implies some state is being carried over. I find it hard to believe that even a drunken monkey could do that by accident.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
If that were true he could have logged in with any string not just spaces.
I was going to say... didn't win98 have a similar issue. Make two log in attempts with a password and on the third leave the password field blank or something like that?
personally im a huge fan of the way powershell does it--
* Comparison: $num1 -eq $num2
* Assignment: $num1 = $num2
Reminds me of that stupid urban legend about entering your pin at an ATM when under duress.. entering it backwards summons ze police.
What if your PIN is a palindrome?
Then you get your money and the police....
woosh
Stop complaining.
Microsoft fixed it, didn't they?
Microsoft takes security seriously.
(Hey, stop it. Stop laughing. Hey, I said STOP LAUGHING!)
I'll see your senator, and I'll raise you two judges.
I see what you did there...
It actually is 21st century internet humor. The "gorilla warfare" gave it away for me. You get a cookie for at least considering it could have been humor, unlike the other responders.
There is no whoosh, numbnuts.
It looks like removing spaces _after_ checking for the minimum length, and then not finding any incorrect characters, since the length is zero. a simple strcmp() would catch the difference in length.
(removing spaces or any other kind of pre-processing does help with brute-forcing, but he, who cares)
My guess is that they checked each character manually, so they could allow typical mistakes or handle case differences in non-standard ways. If an incorrect character was found, it would be a bad password. Therefore, if no character was tested, no incorrect characters where found, thus the password was "correct".
Another possibility would be that they kept processing the password after an incorrect character was found, to prevent timing attacks. This needs a flag or counter to track incorrect characters. If the length is zero after removing spaces (or spaces are simply skipped while processing), no characters will be tested, and the flag or counter will remain in the "valid password" state.
The fact that this only works on the second try, could indicate that we are actually talking about an extra password, in the form of a "I forgot my password"-question.
(If the second password can't be disabled, it is good practice to fill the answer with a large amount of random characters, effectively disabling it.)
I have a "backdoor" branch on some of my git repos. After I merge the working branch into "master" I merge "master" into "backdoor". This allows me to keep backdoors out of the public distributable / viewable code which makes it into releases. The ease of in-place branch and merge in Git is one of its greatest strengths IMO. Even if I accidentally push the "backdoor" code to the public build system, it builds from a "main" branch and doesn't introduce the testing backdoors into the binaries.
The kid gave it all back and wrote, "Thanks, but I don't need these, I already got them thru the flaw."
Seriously, though, kids often find stuff due to the shear volume of randomly poking around without fear of breaking something.
My kid found a cup-holder I didn't even know the car had. He was bored and poking around in the front seat like kids do, and Wazaaam! out popped a convenient double-cup holder I never knew was there. The button was at a hard-to-see angle.
"Wow! Poke around more kid! Maybe there's a super-model in here."
Table-ized A.I.
then they get your money under civil forfeiture laws.
The people who are waiting for you to develop secure password login libraries.
May the Maths Be with you!
No, no, gorilla warfare. You know, the kind where you beat someone to death with a banana.
> Hello, you appear to be new to Slashdot
"For discovering a multi-million dollar bug that would have required us to shut everything down until fixed, and probably reverted our databases by several days, you get almost nothing! Good day, sir!"
"Wut?"
"I said 'Good day, sir!' !"
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
...but they were gracious about it. Microsoft surprise!
Everything in the Universe sucks: It's the law!
That right there should be a serious warning to anyone using or considering Microsoft products.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Well clearly somebody doesn't understand the meaning of "free".
> What if your PIN is a palindrome?
you enter "emordnilap a"
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
From TFA:
*COUGH* eBay's still are *COUGH*
as is the username also
Not just PS, that's a common pattern in many scripting languages, especially shell scripts. Microsoft picked from the best (there's a number of bash-isms in Powershell, for example) when writing that thing.
The compiler really *should* complain about assignment in a test statement, because it's a really common error to make. Or you can remove that option entirely (make assignments valueless statements, in which case that's a syntax error and won't compile at all) but then A) you're forking the languages, and B) a lot of handy stuff like a=b=c=50; stops working unless you special-case it. Better to special-case the if(herp=derp) case, although if you do it as a warning some people will just ignore that...
There's no place I could be, since I've found Serenity...
Or better (since this is /.), the kind where you lob exploding bananas at your opponent.
OK, I promise I stop after this one.
How do you manage to f-ck up so badly? It's not humanly possible, and the only explanation is that someone wrecked it by purpose.
who goes "oh, whatever, we'll just match against whatever?"
As someone else suggested it's probably debug code that found its way into production. It's not a lack of skill problem it's a process problem, code reviews should have picked it up but obviously didn't, how it got as far as customers is the question MS should be asking.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
for good publicity if they're posting lies like this. They're getting more and more ridiculous with their PR. At this rate, they'll be as bad as Republicans in only a few years.
Pro tip: Not that it applies here but I always taught my CS students to code "defensively" by making it a habit to put constants on the LHS of a comparison, because...
if ( constant=variable) - Throws a compiler error, cannot become an application bug.
if (variable=constant) - At best a compiler warning, at worst an application bug.
That was back in the early 90's, many compilers back then did not issue a warning for the second case because it's valid syntax. Nowadays most compilers will issue an explicit warning for assignment in a conditional expression. Still, it's a good habit to cultivate since compiler warnings can be ignored/missed by others but compiler errors can't.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
That entry on the list is worth more than them combined. Just think when li'l Krissy is looking for a job in ITSEC two decades from now and when asked for "how long he's been in the business", he'll be the first person in history to be able to fulfill the usual "no older than 25 with at least 20 years of experience" requirement.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Which part of "Microsoft Product" did you not understand?
Isn't X-Box just some kind of game? WGAF whether it has a strong password or not? All this hoopla because someone can't keep their sister out of their gaming system???? WTF?
> The compiler really *should* complain about assignment in a test statement,
Basically all compilers do nowadays. Try doing that in gcc or clang, for example, they'll insist you use double parenthesis around the assignment to explicitly tell it you're really not just missing an equals sign.
No! No NO! This is an _extremely_ bad habit! The code looks like crap, but most importantly: you're changing the logical flow of the code. You're changing the way the code explains itself to the reader, which makes it harder to understand. It's like spelling errors in professional texts: it interrupts the flow of the reader.
ALL compilers nowadays warn about the assignment pattern. Try doing "if (i = 1)" in gcc or clang, for example, they'll insist you use double parenthesis around the assignment to explicitly tell it you're really not just missing an equals sign.
For the love of neat code and all that is holy, please drop this extremely annoying "if (constant == variable)" pattern!
Exactly... Smart phones automagically add a whitespace after finishing a word.
Really annoying and I sometimes barely notice it. Trimming in said case makes sense, who has a whitespace at the end of a password?
Exactly... Smart phones automagically add a whitespace after finishing a word.
Really annoying and I sometimes barely notice it. Trimming in said case makes sense, who has a whitespace at the end of a password?
Mine does and now everyone knows it you insensitive clod.
WIn 95 had a similar error, you just press ESC to get to the desktop... so he's really in 1995
"The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
I'm quite curious as to what sort of shortcut they took. I can't picture any sort of code that might end up with an issue as particular as this one. :-/
A child will find bugs than an adult will miss, because an adult will only do reasonable things, while kids will try things that don't really make sense. Developers sometimes use little programs that just click things at random to try to catch these kinds of weird bugs, sometimes called "monkey testing."
Physical access covers rather a large range of situations. There's "being able to touch it" at one end and "being able to take it back to your lair" at the other.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Well, there you have it folks, the richest man in the world SCREEEEEEWS a five year old little boy. These crony effing capitalists, I hope they choke on their overpriced organic chicken bones...
Dear Microlimp: I give you 2 valid product keys for win7 and you reject both of them. Piss off you wankers!!!
There's no difference in my house. Where Win95 earned the hatred of geeks everywhere was for corporate office use, and it took MS forever in internet years to figure out the markets were so different - not until Win2000 did they have a sane OS for the business desktop.
Socialism: a lie told by totalitarians and believed by fools.
just use billgates as the password and you will rock any network.
I was a bit hocked at how many didn't get it. Then again, this is the new /.
The new right fascists are bilingual. They speak English and Bullshit.
dirigibledonut123
The new right fascists are bilingual. They speak English and Bullshit.
What if your pin is a palindrome?
You're rated funny, but the first time someone actually mentioned that myth to me, my PIN really WAS a palindrome.
My online banking passwords are case insensitive too. And both banks explicitly said it's intentional and they aren't changing it.
Then again, my Australian bank account is protected by a password which must be exactly 6 characters, case insensitive, and cannot contain special characters of any kind. Oh, and must be entered by clicking static buttons on the page.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
So you are saying use if (( i == 1 )) or are you saying use variable == constant?
I'm not following your suggestion. You say to use double parens when assigning, but don't say how you'd make
if (constant == variable)
different/better. I was thinking the latter but it is hard to tell because the compiler wouldn't care about that yet you bring compiler up in the former example.
No, he's saying that if you want to do assignment in the if clause, use
if ((variable=value)) ...
so the inner parentheses explicitly return the value of the assignment (showing the compiler that you meant to do that). As for
if (consant == variable)
he's just saying it looks bad and is harder for human readers to intuitively understand. See this random blog post that I just found for some commentary that echoes the GP's sentiment. I tend to agree - readability is more important in this case.
my, your, his/her/its, our, your, their
I'm, you're, he's/she's/it's, we're, you're, they're
This news may be a little bit over exaggerated: Similar things happened before, see 5-year boy broke the Ubuntu Desktop (possibly others) http://ubuntuforums.org/showth....