5-year-old cracks Xbox One security by discovering simple flaw

Microsoft sends Kristoffer Von Hassel, aged five, four free games, $50, and a year of Xbox Live Gold after he reports how he managed to break Xbox Live security.

by

A 5-year-old boy managed to circumvent the Xbox One's security and log in to his father's account without entering the correct password.

Reported on the BBC, San Diego child Kristoffer Von Hassel has now been credited as a security researcher by Microsoft. In an alternate universe, the kid probably turned to the dark side, logged into your account, and pumped your life savings into FIFA Ultimate Team card packs.

The exploit, which has already been fixed, was discovered by Kristoffer after entering the wrong password when trying to access his dad's Xbox Live account. By first attempting to log in with an incorrect password, users are taken to a second verification screen, where the child found out that by simply filling up the password field with spaces he would be able to access the account.

5 year old Kristoffer Von Hassel. Image credit: KGTV.

After besting the multibillion dollar company, the preschooler said to local news station KGTV that he "was like yea!"

After realising what he'd done, however, Kristoffer said he "got nervous. I thought [Dad] was going to find out."

Kristoffer's father, Robert, also works in computer security. Technical wizardry must run in the family.

What did Kristoffer think was going to happen after his father reported the error to Microsoft? "I thought someone was going to steal the Xbox," he said.

For reporting the major security loophole, Microsoft gave the kid four free games, $50, and a 12-month subscription to Xbox Live.

"We're always listening to our customers and thank them for bringing issues to our attention," said Microsoft in a statement. "We take security seriously at Xbox and fixed the issue as soon as we learned about it."

Martin Gaston is a news editor at GameSpot, and you can follow him on Twitter @squidmania
Got a news tip or want to contact us directly? Email news@gamespot.com

Discussion

533 comments
christiantw
christiantw

First of all this isn't "hacking". It required no exploitation of the systems code and no external code. This is a bug. HUGE difference.

Second, he didn't get more simply because this is not a huge threat to Xbox security. All this bug does is allow people who are already signed in to his account to bypass the 6 digit security code for purchases or mature rated games.

This bug is equivalent to bypassing the parental controls on a cable box.

gordanchoong
gordanchoong

Hahahahahahaha! Epic Fail! Microsoft does what Nintendon't!

Rakou
Rakou

I'm busy specialising in software security testing, and I've NEVER thought of filling the password field with spaces. When performing ethical (white hat / non malicious) hacking, I'll try to think like a child at times.

ksbwings
ksbwings

the story is really funny.....Kid manipulates with powerful system...


how awesome is that.

stan_boyd
stan_boyd

what I find ironic is all the sony guys laughing at the MS blunder here, oooooh some kid got past the parental locks, meanwhile sony had a security blunder that allowed people access to your personal info but all the fanboys forgot about that didn't they.

evolate
evolate

ehm, this is most probably just a loophole they deliberatly put in to bypass the password...theres stuff like this in most systems, ways for developers to bypass systems when they need...its not a securityhole, its a stupidly easy loophole.

pip3dream
pip3dream

haha. this video.  amazing.

battlefront1943
battlefront1943

For a console that already has big security issues, this is disgraceful.


Good for that kid!  Bad for XBOX...  again.

Barighm
Barighm

I discovered a security flaw like that in a university's email system. What did I get for it? Nothing! Not even a discount on my next month's tuition. Ungrateful jerks.

TommyT456
TommyT456

Wow, if we're getting paid for pointing out flaws in the XBone then we're all going to be millionaires! :D

Keitha313
Keitha313

Shit console... rather play Wii U.

dribblesbarbax
dribblesbarbax

Microsoft gave him 4 of the latest COD games and a years subscription so he can abuse the rest of the community at an early age.

eternal_napalm
eternal_napalm

I couldn't believe my eyes after reading this article. Hahaha! Silly Xbone. 


Meme worthy!

melante
melante

White spaces enough to circumvent security? Really?? Is MS really such a joke nowadays?

Dakey87
Dakey87

OK honestly at first i didn't really approve of Chris watters at first i feel his reviews are a little bias but that beside the point i died laughing at this 1:49 sec video so many meme worthy shots............YEAAAAAAAAAAHHHHHHHHHHHHHHH  

fiskem
fiskem

Son of a......... lady.

canuckbiker
canuckbiker

Suddenly Sony doesn't feel so stupid for being hacked by anonymous.

notorious98
notorious98

Kinda makes you wonder what other features can be hacked by people who actually know what they are doing.  GG Microsoft.  You implemented a flaw that got figured out by a kindergartner.

naryanrobinson
naryanrobinson

I guess you could say...

*puts on sunglasses*

That's a lot of money...

*turns up collar*

For a little Hassel.

Boddicker
Boddicker

MS protecting your shit.  What a joke.

grove67
grove67

the guys in the black market would have paid more

Darkfall_05
Darkfall_05

"Microsoft has just announced record revenue and profits for Q2 2014 (calendar Q4 2013). On the back of strong Xbox One and 360 sales, and good growth by its commercial licensing divisions, Microsoft managed to bring in $24.5 billion in revenue and $8 billion profit." - Sebastian Anthon.

Four games, $50 and live for a year. Wow!

BadMrSnake
BadMrSnake

My 3 year old cracked this code last year, I thought someone else was putting in this code  buying   crap until he showed me.  Now send me some swag!

lateralus1
lateralus1

Wow... talking about pathetic. Also considering this exploit was reported to MS for them to fix they sure were stingy on what they sent. This company is seriously run by fucking monkeys. The E3 draconian debacle. Windows 8 force feeding what MS wanted and not what customers wanted, no friggin start menu! This laughable security exploit, forcing you to buy Kinect whether you want it or not. 

Monkeys! Ohh ahh ahh ahh ahhhhh!!!

mescalin1
mescalin1

@Rakou  sorry to say it but surely if you do computer security you have heard of brute forcing a password, or a dictionary attack

jZangetsu21
jZangetsu21

@stan_boyd  Just like Xbox fanboys always fail to mention that credit card info has been hacked from Live accounts as well. Neither MS or Sony have perfect security.


Grow up man, let the Sony trolls just be, don't feed them.


Besides, if something like this happened on the PS4, the Xbox trolls would be here as well trolling away.

delta5931
delta5931

@TommyT456  And I can point all the flaws in all of the next generation systems. Minus the Wii U. Thats a true next generation Console.

gordanchoong
gordanchoong

@Keitha313  Yes, I told everybody that the Xboner is crap and the WiiU totally dominates it! Microsoft does what Nintendon't!

Infinite_713
Infinite_713

@dribblesbarbax LOL! Good one! Why would parents let their child play online, exposing him to extreme profanity and hate, racist speeches.

robotopbuddy
robotopbuddy moderator moderator

It's actually quite real, though it's been (unintentionally?) made out to be more than it is - it's just the parental lock password, you'd have to have access to the physical console and the only thing it really was meant to do to begin with was stop kids from having access to funds via their parents accounts and apply privacy settings. Of course, it evidently has failed in that endeavour, and that is rather embarrassing for Microsoft to say the least, but it wasn't like account details were available online to anyone via this relatively minor security hole. That said, it will certainly hurt consumer trust when it comes to Microsoft's ability to protect their data.


On the other hand, the kid got some free stuff and even has something nice to put on his résumé haha.

robotopbuddy
robotopbuddy moderator moderator

@eternal_napalm  Yeah, I can definitely see a meme coming out of this one...something to remind Microsoft that they were bested by a 5 year old for the foreseeable future...I can see this coming in up clashes between fanboys as well for a little while, regardless of how little real threat the security hole posed to Xbox One users.

naomha1
naomha1

@Darkfall_05  They really didn't have to do anything. It's not like any buyer of MS products is under contract to disclose problems in their software or hardware.  The fact that they did report it probably saved some unlucky chump from having his HDD wiped by an angry girlfriend. Still, they came out of pocket for a 5 year old. That, in and of itself, shows appreciation. No matter what the contents were.

melante
melante

@lateralus1  Completely agree with you. They are not getting anything right lately (checked out also MS surface tablets?) and yet MS stock price skyrocketed... I guess these problems have yet to be reflected in they quarterly YoY reports...

Psycold
Psycold

@lateralus1  I hate that I have to use Windows in order to play my good PC games, I really hope the whole company just goes under at some point.

battlefront1943
battlefront1943

@robotopbuddy The problem really is how easy it was to override the XBOX's parental lock system.  It wasn't a complicated series of actions...  it was just some space keys and "enter."  Crazy.

TommyT456
TommyT456

@robotopbuddy @eternal_napalm  Tomorrows news paper headline should read...

"Great news for skint gamers, MS paying people to point out flaws in their console." 


We're all going to be rich! :)

bryanj2006
bryanj2006

@Psycold @lateralus1That actually is very possible, a report came out last year that if things didn't change both M$ and Sony were both in trouble of going under bc both were losing money.