Five-Year-Old Uncovers Xbox One Login Flaw
New submitter Smiffa2001 writes: "The BBC reports that five-year-old Kristoffer Von Hassel from San Diego has uncovered a (frankly embarrassing) security flaw within the Xbox One login screen. Apparently by entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account. Young Kristoffer's dad submitted the flaw to Microsoft — who have patched the flaw — and have generously provided four free games, $50, a year-long subscription to Xbox Live and an entry on their list of Security Researcher Acknowledgments."
What does that come out to, about $300 for a severe bug? I thought Microsoft just paid out $100k for a Windows 8 flaw.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
Who takes shortcuts for code when you're developing a damned password entry system? I mean... really? When the sole purpose of the code is security, who goes "oh, whatever, we'll just match against whatever?"
I mean, it's not like hashing or string comparison are hard problems.
You'd be surprised. There's a LOT of bad security out there. Something this bad really takes the cake though.
It doesn't mean much now, it's built for the future.
Why is this criminal being celebrated rather than prosecuted for hacking into a protected computer system across state lines? The child is A FELON and must go to jail. The father acted as an accessory and should also be prosecuted.
This might have been a simple to find bug but that's exactly why it would have been so damaging. They could at least give the kid a permanent XBox Live subscription. He would have effectively had one if he hadn't disclosed the bug.
Yeah, are you sick of that story of the Indian kid who got his CISSP at the age of 12? Well, here's a 5 year old with a published vulnerability!
I'm sure the reason the reward was so paltry was because the rest of the reward went to cleaning the development team's underwear.
-- Sometimes you have to turn the lights off in order to see.
Yeah. Space is a full blown character. This reeks of intentional backdoor, there's really no other plausible scenario in my mind.
That's not to say the backdoor was necessarily malicious. Maybe the guy in charge of the password login system was always breaking stuff and locking himself out of his box, so he put a bypass in there so he could get in an fix it, but forgot to remove it later. It's at best really sloppy.
I read the internet for the articles.
I don't know who could get this wrong or how you could get this wrong.
Does it work if you have the same number of characters?
len(input) == len(password)?
or?
input == password OR (len(input) == len(password) AND string_is_all_spaces(input))
You'd really have to go out of your way in a most bizarre manner to screw this up. I mean, this is like tell someone to make an omelette and they accidentally build a time-machine. What the heck were they doing here??
You'd be surprised. There's a LOT of bad security out there.
Understatement of the day.
Some people would be shocked if they knew how many retailers offering free wifi don't change their router's login from default. I know I always am.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Which makes me appreciate all the thought that Slashdot put into its security. For example, did you know if you accidentally type your own password into a comment, it stars it out for you? Example:
***********
Neat, huh?
Dark Reflection
... the matching algo checks for zero length strings *before* it strips out whitespace so lets this through. Once it has stripped out this whitespace it *then* has a zero length string but doesn't know it and then the rest of the algo fails due to it.
I'll bet it something stupid like:
hashed_pwd = strip(input_pwd);
for(*ptr = hashed_pwd;*ptr;++ptr) // Match
{
if (hash char doesnt match) return BAD;
}
return MATCH;
Actually, it says Hunter2 for me...
Peter predicted that you would "deliberately forget" creation 2000 years ago...
What if your pin is a palindrome?
"No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
Generally agree.
I would however note that it's that curiosity to try stuff like this and that "what happens if I.." mindset that tends to make a good hacker. Yes this kid lucked out, but it's always encouraging when you see this kinda "poke holes in everything" behaviour early on.
Posting anonymous because I'm still afraid that pepsi goons will break down my door any minute now.
Quite a few years ago, I found that sombody had shown my preschooler that you could enter code numbers from inside the caps of pepsi products to get "free" merch.
He just started entering random numbers and characters until he found a pattern that worked every time. He thought that was the point! He spent hours at it and then proudly showed me that he'd "solved the puzzle" and Pepsi was going to send him truckloads of free stuff.
I quickly popped through a couple DHCPs on the cable modem and told him not to do that anymore.
I guess their team of advisors is incomplete:
http://www.eviloverlord.com/li...
"12. One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation."
And:
"60. My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords."
Perhaps Microsoft doesn't consider itself evil? Lots of people no longer do. At least they followed rule 32 in this case.
You have that backwards. M$ has always known about shit. Just look at their products.
> Hello, you appear to be new to Slashdot
"For discovering a multi-million dollar bug that would have required us to shut everything down until fixed, and probably reverted our databases by several days, you get almost nothing! Good day, sir!"
"Wut?"
"I said 'Good day, sir!' !"
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
> What if your PIN is a palindrome?
you enter "emordnilap a"
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol