Five-Year-Old Uncovers Xbox One Login Flaw
New submitter Smiffa2001 writes: "The BBC reports that five-year-old Kristoffer Von Hassel from San Diego has uncovered a (frankly embarrassing) security flaw within the Xbox One login screen. Apparently by entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account. Young Kristoffer's dad submitted the flaw to Microsoft — who have patched the flaw — and have generously provided four free games, $50, a year-long subscription to Xbox Live and an entry on their list of Security Researcher Acknowledgments."
Why is this criminal being celebrated rather than prosecuted for hacking into a protected computer system across state lines? The child is A FELON and must go to jail. The father acted as an accessory and should also be prosecuted.
Yeah, are you sick of that story of the Indian kid who got his CISSP at the age of 12? Well, here's a 5 year old with a published vulnerability!
I'm sure the reason the reward was so paltry was because the rest of the reward went to cleaning the development team's underwear.
-- Sometimes you have to turn the lights off in order to see.
I don't know who could get this wrong or how you could get this wrong.
Does it work if you have the same number of characters?
len(input) == len(password)?
or?
input == password OR (len(input) == len(password) AND string_is_all_spaces(input))
You'd really have to go out of your way in a most bizarre manner to screw this up. I mean, this is like tell someone to make an omelette and they accidentally build a time-machine. What the heck were they doing here??
Which makes me appreciate all the thought that Slashdot put into its security. For example, did you know if you accidentally type your own password into a comment, it stars it out for you? Example:
***********
Neat, huh?
Dark Reflection
At least they did the right thing and rewarded the kid about the discovery, instead of suing the father for "tampering with their security".
Actually, it says Hunter2 for me...
Peter predicted that you would "deliberately forget" creation 2000 years ago...
What if your pin is a palindrome?
"No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
I guess their team of advisors is incomplete:
http://www.eviloverlord.com/li...
"12. One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation."
And:
"60. My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords."
Perhaps Microsoft doesn't consider itself evil? Lots of people no longer do. At least they followed rule 32 in this case.
You have that backwards. M$ has always known about shit. Just look at their products.
For all the times we suspected it, now we have proof that they were all spaced out!
> What if your PIN is a palindrome?
you enter "emordnilap a"
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol