Slashdot Mirror

← Back to Stories (view on slashdot.org)

Five-Year-Old Uncovers Xbox One Login Flaw

Posted by Soulskill on from the kids-input-the-darnedest-credentials dept.

New submitter Smiffa2001 writes: "The BBC reports that five-year-old Kristoffer Von Hassel from San Diego has uncovered a (frankly embarrassing) security flaw within the Xbox One login screen. Apparently by entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account. Young Kristoffer's dad submitted the flaw to Microsoft — who have patched the flaw — and have generously provided four free games, $50, a year-long subscription to Xbox Live and an entry on their list of Security Researcher Acknowledgments."

43 of 196 comments (clear)

  1. $300? by schneidafunk · · Score: 5, Insightful

    What does that come out to, about $300 for a severe bug? I thought Microsoft just paid out $100k for a Windows 8 flaw.

    --
    Some people die at 25 and aren't buried until 75. -Benjamin Franklin
    1. Re:$300? by FrozenToothbrush · · Score: 3, Insightful

      Such a small prize for a million dollar flaw. Basic QA should've caught this.

    2. Re:$300? by DigitAl56K · · Score: 4, Informative

      To put it in perspective, that $100K was for bypassing exploit mitigation features that cross all processes on the system, and would severely undermine Windows 8.1's security features. This one seems to require you to be standing in front of a specific console.

      Still, what a stupid bug to have.

    3. Re:$300? by jones_supa · · Score: 3, Funny

      At least they did the right thing and rewarded the kid about the discovery, instead of suing the father for "tampering with their security".

    4. Re:$300? by JoeMerchant · · Score: 2

      Sounds like a way to log in to any console, anywhere, at any time... but, the physical presence thing is some measure of containment. At least one five year old can't take down every machine on the planet at once.

    5. Re:$300? by Anonymous Coward · · Score: 2, Funny

      Basic QA should've caught this.

      For all the times we suspected it, now we have proof that they were all spaced out!

    6. Re:$300? by subanark · · Score: 3, Insightful

      "Filling out a text field with spaces" isn't something that usually gets tested. I can only imagine what kind of code flaw would cause this to work, but not some other set of characters.

    7. Re:$300? by Redmancometh · · Score: 5, Interesting

      I found a flaw in skype that allowed the dumping of usernames from regional nodes. I could run it on multiple threads and dump literally as high as 2048 per second (never tried with more threads...) Finding the other regional nodes wasn't exactly difficult.

      There are surprisingly dark uses for that ability.

      They sent me an Xbox 360 (this was less than a week before the Xbox one launch) bundle (kinect), 2 games, an Xbox Live Card, and a researcher acknowledgement on Technet (same as this kid) for August of 2013..I'm one of the "individual" entries with no link.

      I did get invited to bluehat as well which was absolutely incredible, but I paid for the flight, hotel (at a discounted rate, at the Westin, Seattle!), etc.

      It was a f*cking awesome conference.

      Skype isn't cover by their bug bounty program, so they said they had nothing they could do. I was pretty insistent that I really needed the money, because I really really needed the money. That was a brief period in my life of spam sandwiches and ramen.

      I'm not complaining, but I am saying if something isn't covered by their bounty program you're not going to get money from it.

    8. Re:$300? by Redmancometh · · Score: 5, Interesting

      The last person who asked me that turned out to actually work with skype at bluehat. The whole team came over and THEN told me who they were -_-.
        I was just looking for a table with people who weren't anti-social, and one of the people happened to work for skype. Very very friendly people by the way.

      Basically I was trying to get into a friends machine (we were doing a mini CTF) and as a joke he gave me the IP to a skype regional node.

      I fuzzed said regional node and started getting really weird responses. I was trying a port that was open (same port as oracle..7776 I think?) Eventually I figured out that an arbitrary 4 bytes would result in a response with a plaintext string at the bottom of the packet.

      My first thought was that my friend was running a gameserver, botnet, chat room, or really just something..weird.

      Eventually I figured out they were skype usernames. Complete accident that I stumbled upon it. I'm only mentioning the details here because A) Microsoft knows exactly how I found it B) It's patched.

      I believe it would have actually have had use as a DDoS amplification platform. The responses sent back were 50-90x the size of the request.

      They never told me why this worked. The first engineer I had talked to asked one of them if it was an edge case, and the other shook his head "no," and aaaalmost said what it was. Then he noticed I wasn't an MS employee and said he couldn't tell me that.

    9. Re:$300? by Redmancometh · · Score: 2

      I actually submitted this story to slashdot, but it never got any comments, front page, etc.

    10. Re:$300? by DarksideDaveOR · · Score: 3, Interesting

      My guess would be it was a debugging "feature" that someone forgot to turn off.

      But filling up password fields with certain common characters probably IS something that should be tested, even if it wasn't standard before.

    11. Re:$300? by Apocryphos · · Score: 2

      Zero Cool? Crashed fifteen hundred and seven computers in one day? Biggest crash in history, front page New York Times August 10th, 1988. I thought you was black man. YO THIS IS ZERO COOL!

    12. Re:$300? by organgtool · · Score: 3, Insightful

      "Filling out a text field with spaces" isn't something that usually gets tested.

      Which is why peer reviews of code changes are conducted at many places these days.

    13. Re:$300? by rhizome · · Score: 2

      > isn't something that usually gets tested.

      I bet it does now, and competent developers *do* test corner cases.

      --
      When I was a kid, we only had one Darth.
  2. Who? How? by i+kan+reed · · Score: 5, Insightful

    Who takes shortcuts for code when you're developing a damned password entry system? I mean... really? When the sole purpose of the code is security, who goes "oh, whatever, we'll just match against whatever?"

    I mean, it's not like hashing or string comparison are hard problems.

  3. Re:Fuck M$ by X0563511 · · Score: 2, Insightful

    OK, So they have learned about Jack in these last 16 years... but they are still having some trouble with Shit.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  4. Re:Who? How? by Pope · · Score: 3, Informative

    You'd be surprised. There's a LOT of bad security out there. Something this bad really takes the cake though.

    --
    It doesn't mean much now, it's built for the future.
  5. Prosecute the child and father! by Anonymous Coward · · Score: 5, Funny

    Why is this criminal being celebrated rather than prosecuted for hacking into a protected computer system across state lines? The child is A FELON and must go to jail. The father acted as an accessory and should also be prosecuted.

    1. Re:Prosecute the child and father! by JoeMerchant · · Score: 3, Insightful

      Makes me wonder if the kid is just an attention ploy the dad used...

  6. A year? Seriously? by shaitand · · Score: 3, Interesting

    This might have been a simple to find bug but that's exactly why it would have been so damaging. They could at least give the kid a permanent XBox Live subscription. He would have effectively had one if he hadn't disclosed the bug.

  7. Sucks to be a security professional... by pegr · · Score: 5, Funny

    Yeah, are you sick of that story of the Indian kid who got his CISSP at the age of 12? Well, here's a 5 year old with a published vulnerability!

  8. They were busy by sl3xd · · Score: 5, Funny

    I'm sure the reason the reward was so paltry was because the rest of the reward went to cleaning the development team's underwear.

    --
    -- Sometimes you have to turn the lights off in order to see.
    1. Re:They were busy by JoeMerchant · · Score: 5, Interesting

      This smells more like a forgotten backdoor than an algorithmic flaw.... probably traceable in the commit log to the particular dev who put it in, and all the auditors who should have caught it, but didn't.

  9. What kind of code that do that? by JcMorin · · Score: 2

    I means what kind of code can allow a space password to be approved... the MD5 didn't surely checked... oh wait... another buffer overflow because the length of the password that too big? Why the space? It is a like a backdoor the developer forgot to removed?

    1. Re:What kind of code that do that? by jandrese · · Score: 4, Interesting

      Yeah. Space is a full blown character. This reeks of intentional backdoor, there's really no other plausible scenario in my mind.

      That's not to say the backdoor was necessarily malicious. Maybe the guy in charge of the password login system was always breaking stuff and locking himself out of his box, so he put a bypass in there so he could get in an fix it, but forgot to remove it later. It's at best really sloppy.

      --

      I read the internet for the articles.
    2. Re:What kind of code that do that? by Anrego · · Score: 2

      My guess is it's an algorithm that starts with the assumption that the password is correct until proven incorrect, and something in that algorithm is breaking, leaving the correct assumption to stand.

      This is of course lazy programming, but not entirely uncommon.

  10. Re:Who? How? by Anonymous Coward · · Score: 3, Funny

    I don't know who could get this wrong or how you could get this wrong.

    Does it work if you have the same number of characters?

    len(input) == len(password)?

    or?

    input == password OR (len(input) == len(password) AND string_is_all_spaces(input))

    You'd really have to go out of your way in a most bizarre manner to screw this up. I mean, this is like tell someone to make an omelette and they accidentally build a time-machine. What the heck were they doing here??

  11. Re:Who? How? by wisnoskij · · Score: 2

    I wonder...
    Either this is some developer/tester login thing.
    Or the developer did something weird were he removed whitespace, and a "correct" match was found when the manipulated/tested string was length 0.

    --
    Troll is not a replacement for I disagree.
  12. Re:Who? How? by CanHasDIY · · Score: 4, Insightful

    You'd be surprised. There's a LOT of bad security out there.

    Understatement of the day.

    Some people would be shocked if they knew how many retailers offering free wifi don't change their router's login from default. I know I always am.

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
  13. Re:Who? How? by OakDragon · · Score: 4, Funny

    Which makes me appreciate all the thought that Slashdot put into its security. For example, did you know if you accidentally type your own password into a comment, it stars it out for you? Example:

    ***********

    Neat, huh?

    --
    Dark Reflection
  14. Possibly... by Viol8 · · Score: 4, Informative

    ... the matching algo checks for zero length strings *before* it strips out whitespace so lets this through. Once it has stripped out this whitespace it *then* has a zero length string but doesn't know it and then the rest of the algo fails due to it.

    I'll bet it something stupid like:

    hashed_pwd = strip(input_pwd);

    for(*ptr = hashed_pwd;*ptr;++ptr)
    { // Match
            if (hash char doesnt match) return BAD;
    }
    return MATCH;

  15. Re:Who? How? by PRMan · · Score: 3, Funny

    Actually, it says Hunter2 for me...

    --
    Peter predicted that you would "deliberately forget" creation 2000 years ago...
  16. Re:Who? How? by stephenmac7 · · Score: 3, Funny

    What if your pin is a palindrome?

    --
    "No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
  17. Re:Attach video in kid's 2026 college application by Anrego · · Score: 3, Insightful

    Generally agree.

    I would however note that it's that curiosity to try stuff like this and that "what happens if I.." mindset that tends to make a good hacker. Yes this kid lucked out, but it's always encouraging when you see this kinda "poke holes in everything" behaviour early on.

  18. My kid broke pepsi.com by Anonymous Coward · · Score: 3, Interesting

    Posting anonymous because I'm still afraid that pepsi goons will break down my door any minute now.

    Quite a few years ago, I found that sombody had shown my preschooler that you could enter code numbers from inside the caps of pepsi products to get "free" merch.

    He just started entering random numbers and characters until he found a pattern that worked every time. He thought that was the point! He spent hours at it and then proudly showed me that he'd "solved the puzzle" and Pepsi was going to send him truckloads of free stuff.

    I quickly popped through a couple DHCPs on the cable modem and told him not to do that anymore.

  19. Re:Who? How? by Anonymous Coward · · Score: 2, Informative

    It's not that hard to do.
    Basically could be
    a) debug code for QA left in to bypass login

    b) buffer overflow (off by one); and an exception thrown that was caught outside the password system; that exited back to the main run-time.
    Testing that your code can actually handle the maximum number of characters allowable by the input field, is ... rarely tested by QA.
    I've personally crashed websites that don't restrcit the form input length on the password field. Apparently putting in 4096 character passers does tend to cause issues on -many- sites.

    c) Other logic errors:
    You explicitly forbid empty password from entry.
    Some process internally does a trim($b)
    Password process throws an unhandled exception case due to using an empty string; or null value returned from the password hashing; validation, oro assocated sub layer.
    Maximum length exceeded (-1) combined with a trimmed length of 0; can cause issues if an assumption of "the password cannot be empty at this point" was inadertantly violated.
    You code each layer with the assumption of where the data came from, and whether it's been validated or rejected at a higher layer. Something slipping by causes lots of strange, and subtle bugs.

  20. forgot rule 12 of evil overlords by Jecel+Assumpcao+Jr · · Score: 4, Funny

    I guess their team of advisors is incomplete:

    http://www.eviloverlord.com/li...

    "12. One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation."

    And:

    "60. My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords."

    Perhaps Microsoft doesn't consider itself evil? Lots of people no longer do. At least they followed rule 32 in this case.

  21. Re:Fuck M$ by Anonymous Coward · · Score: 3, Funny

    You have that backwards. M$ has always known about shit. Just look at their products.

  22. Re:Who? How? by David_Hart · · Score: 2

    Reminds me of that stupid urban legend about entering your pin at an ATM when under duress.. entering it backwards summons ze police.

    What if your PIN is a palindrome?

    Then you get your money and the police....

  23. Re:Fuck M$ by Impy+the+Impiuos+Imp · · Score: 3, Insightful

    > Hello, you appear to be new to Slashdot

    "For discovering a multi-million dollar bug that would have required us to shut everything down until fixed, and probably reverted our databases by several days, you get almost nothing! Good day, sir!"

    "Wut?"

    "I said 'Good day, sir!' !"

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  24. Found by a 5-year old by Khyber · · Score: 2

    That right there should be a serious warning to anyone using or considering Microsoft products.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  25. Re:Who? How? by marcello_dl · · Score: 4, Funny

    > What if your PIN is a palindrome?

    you enter "emordnilap a"

    --
    ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
  26. Re:Who? How? by Anonymous Coward · · Score: 2, Insightful

    No! No NO! This is an _extremely_ bad habit! The code looks like crap, but most importantly: you're changing the logical flow of the code. You're changing the way the code explains itself to the reader, which makes it harder to understand. It's like spelling errors in professional texts: it interrupts the flow of the reader.

    ALL compilers nowadays warn about the assignment pattern. Try doing "if (i = 1)" in gcc or clang, for example, they'll insist you use double parenthesis around the assignment to explicitly tell it you're really not just missing an equals sign.

    For the love of neat code and all that is holy, please drop this extremely annoying "if (constant == variable)" pattern!