Slashdot Mirror


Five-Year-Old Uncovers Xbox One Login Flaw

New submitter Smiffa2001 writes: "The BBC reports that five-year-old Kristoffer Von Hassel from San Diego has uncovered a (frankly embarrassing) security flaw within the Xbox One login screen. Apparently by entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account. Young Kristoffer's dad submitted the flaw to Microsoft — who have patched the flaw — and have generously provided four free games, $50, a year-long subscription to Xbox Live and an entry on their list of Security Researcher Acknowledgments."

12 of 196 comments (clear)

  1. Prosecute the child and father! by Anonymous Coward · · Score: 5, Funny

    Why is this criminal being celebrated rather than prosecuted for hacking into a protected computer system across state lines? The child is A FELON and must go to jail. The father acted as an accessory and should also be prosecuted.

  2. Sucks to be a security professional... by pegr · · Score: 5, Funny

    Yeah, are you sick of that story of the Indian kid who got his CISSP at the age of 12? Well, here's a 5 year old with a published vulnerability!

  3. They were busy by sl3xd · · Score: 5, Funny

    I'm sure the reason the reward was so paltry was because the rest of the reward went to cleaning the development team's underwear.

    --
    -- Sometimes you have to turn the lights off in order to see.
  4. Re:Who? How? by Anonymous Coward · · Score: 3, Funny

    I don't know who could get this wrong or how you could get this wrong.

    Does it work if you have the same number of characters?

    len(input) == len(password)?

    or?

    input == password OR (len(input) == len(password) AND string_is_all_spaces(input))

    You'd really have to go out of your way in a most bizarre manner to screw this up. I mean, this is like tell someone to make an omelette and they accidentally build a time-machine. What the heck were they doing here??

  5. Re:Who? How? by OakDragon · · Score: 4, Funny

    Which makes me appreciate all the thought that Slashdot put into its security. For example, did you know if you accidentally type your own password into a comment, it stars it out for you? Example:

    ***********

    Neat, huh?

  6. Re:$300? by jones_supa · · Score: 3, Funny

    At least they did the right thing and rewarded the kid about the discovery, instead of suing the father for "tampering with their security".

  7. Re:Who? How? by PRMan · · Score: 3, Funny

    Actually, it says Hunter2 for me...

    --
    Peter predicted that you would "deliberately forget" creation 2000 years ago...
  8. Re:Who? How? by stephenmac7 · · Score: 3, Funny

    What if your pin is a palindrome?

    --
    "No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
  9. forgot rule 12 of evil overlords by Jecel+Assumpcao+Jr · · Score: 4, Funny

    I guess their team of advisors is incomplete:

    http://www.eviloverlord.com/li...

    "12. One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation."

    And:

    "60. My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords."

    Perhaps Microsoft doesn't consider itself evil? Lots of people no longer do. At least they followed rule 32 in this case.

  10. Re:Fuck M$ by Anonymous Coward · · Score: 3, Funny

    You have that backwards. M$ has always known about shit. Just look at their products.

  11. Re:$300? by Anonymous Coward · · Score: 2, Funny

    Basic QA should've caught this.

    For all the times we suspected it, now we have proof that they were all spaced out!

  12. Re:Who? How? by marcello_dl · · Score: 4, Funny

    > What if your PIN is a palindrome?

    you enter "emordnilap a"

    --
    ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol