Five-Year-Old Uncovers Xbox One Login Flaw

New submitter Smiffa2001 writes: "The BBC reports that five-year-old Kristoffer Von Hassel from San Diego has uncovered a (frankly embarrassing) security flaw within the Xbox One login screen. Apparently by entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account. Young Kristoffer's dad submitted the flaw to Microsoft — who have patched the flaw — and have generously provided four free games, $50, a year-long subscription to Xbox Live and an entry on their list of Security Researcher Acknowledgments."

A year? Seriously?

[shaitand]

This might have been a simple to find bug but that's exactly why it would have been so damaging. They could at least give the kid a permanent XBox Live subscription. He would have effectively had one if he hadn't disclosed the bug.

Re:What kind of code that do that?

[jandrese]

Yeah. Space is a full blown character. This reeks of intentional backdoor, there's really no other plausible scenario in my mind.

That's not to say the backdoor was necessarily malicious. Maybe the guy in charge of the password login system was always breaking stuff and locking himself out of his box, so he put a bypass in there so he could get in an fix it, but forgot to remove it later. It's at best really sloppy.

What caused it?

[jones_supa]

Apparently by entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account.

That's interesting. Let's speculate a bit about the bug.

Do you have any theories how the login part of the Xbox One software was programmed which caused it to behave like that?

My kid broke pepsi.com

[Anonymous Coward]

Posting anonymous because I'm still afraid that pepsi goons will break down my door any minute now.

Quite a few years ago, I found that sombody had shown my preschooler that you could enter code numbers from inside the caps of pepsi products to get "free" merch.

He just started entering random numbers and characters until he found a pattern that worked every time. He thought that was the point! He spent hours at it and then proudly showed me that he'd "solved the puzzle" and Pepsi was going to send him truckloads of free stuff.

I quickly popped through a couple DHCPs on the cable modem and told him not to do that anymore.

Re:They were busy

[JoeMerchant]

This smells more like a forgotten backdoor than an algorithmic flaw.... probably traceable in the commit log to the particular dev who put it in, and all the auditors who should have caught it, but didn't.

Re:$300?

[Redmancometh]

I found a flaw in skype that allowed the dumping of usernames from regional nodes. I could run it on multiple threads and dump literally as high as 2048 per second (never tried with more threads...) Finding the other regional nodes wasn't exactly difficult.

There are surprisingly dark uses for that ability.

They sent me an Xbox 360 (this was less than a week before the Xbox one launch) bundle (kinect), 2 games, an Xbox Live Card, and a researcher acknowledgement on Technet (same as this kid) for August of 2013..I'm one of the "individual" entries with no link.

I did get invited to bluehat as well which was absolutely incredible, but I paid for the flight, hotel (at a discounted rate, at the Westin, Seattle!), etc.

It was a f*cking awesome conference.

Skype isn't cover by their bug bounty program, so they said they had nothing they could do. I was pretty insistent that I really needed the money, because I really really needed the money. That was a brief period in my life of spam sandwiches and ramen.

I'm not complaining, but I am saying if something isn't covered by their bounty program you're not going to get money from it.

Re:$300?

[Redmancometh]

The last person who asked me that turned out to actually work with skype at bluehat. The whole team came over and THEN told me who they were -_-.
  I was just looking for a table with people who weren't anti-social, and one of the people happened to work for skype. Very very friendly people by the way.

Basically I was trying to get into a friends machine (we were doing a mini CTF) and as a joke he gave me the IP to a skype regional node.

I fuzzed said regional node and started getting really weird responses. I was trying a port that was open (same port as oracle..7776 I think?) Eventually I figured out that an arbitrary 4 bytes would result in a response with a plaintext string at the bottom of the packet.

My first thought was that my friend was running a gameserver, botnet, chat room, or really just something..weird.

Eventually I figured out they were skype usernames. Complete accident that I stumbled upon it. I'm only mentioning the details here because A) Microsoft knows exactly how I found it B) It's patched.

I believe it would have actually have had use as a DDoS amplification platform. The responses sent back were 50-90x the size of the request.

They never told me why this worked. The first engineer I had talked to asked one of them if it was an edge case, and the other shook his head "no," and aaaalmost said what it was. Then he noticed I wasn't an MS employee and said he couldn't tell me that.

Re:$300?

[DarksideDaveOR]

My guess would be it was a debugging "feature" that someone forgot to turn off.

But filling up password fields with certain common characters probably IS something that should be tested, even if it wasn't standard before.