Five-Year-Old Uncovers Xbox One Login Flaw 196
New submitter Smiffa2001 writes: "The BBC reports that five-year-old Kristoffer Von Hassel from San Diego has uncovered a (frankly embarrassing) security flaw within the Xbox One login screen. Apparently by entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account. Young Kristoffer's dad submitted the flaw to Microsoft — who have patched the flaw — and have generously provided four free games, $50, a year-long subscription to Xbox Live and an entry on their list of Security Researcher Acknowledgments."
$300? (Score:5, Insightful)
What does that come out to, about $300 for a severe bug? I thought Microsoft just paid out $100k for a Windows 8 flaw.
Re: (Score:3, Insightful)
Re: (Score:2, Funny)
For all the times we suspected it, now we have proof that they were all spaced out!
Re:$300? (Score:4, Insightful)
"Filling out a text field with spaces" isn't something that usually gets tested. I can only imagine what kind of code flaw would cause this to work, but not some other set of characters.
Re: (Score:3, Interesting)
My guess would be it was a debugging "feature" that someone forgot to turn off.
But filling up password fields with certain common characters probably IS something that should be tested, even if it wasn't standard before.
Re:$300? (Score:4, Insightful)
Which is why peer reviews of code changes are conducted at many places these days.
Re: (Score:3)
> isn't something that usually gets tested.
I bet it does now, and competent developers *do* test corner cases.
Re: (Score:2)
QA? This bug is way too stupid. It should never even have existed, unless it was intentional. I mean, imagine the code; there's no possible variation where you get this sort of bugs.
They were busy (Score:5, Funny)
I'm sure the reason the reward was so paltry was because the rest of the reward went to cleaning the development team's underwear.
Re:They were busy (Score:5, Interesting)
This smells more like a forgotten backdoor than an algorithmic flaw.... probably traceable in the commit log to the particular dev who put it in, and all the auditors who should have caught it, but didn't.
Re: (Score:2)
Re: (Score:2)
Except you could disable that feature using Policies, and pressing Escape would result in an error message and another login prompt.
Re:$300? (Score:5, Informative)
To put it in perspective, that $100K was for bypassing exploit mitigation features that cross all processes on the system, and would severely undermine Windows 8.1's security features. This one seems to require you to be standing in front of a specific console.
Still, what a stupid bug to have.
Re: (Score:3)
Sounds like a way to log in to any console, anywhere, at any time... but, the physical presence thing is some measure of containment. At least one five year old can't take down every machine on the planet at once.
Re: (Score:2)
Sure he can. Lock him up before he hacks the planet!
Re: (Score:2)
Re: (Score:2)
Not very long ago that comment would have made me chuckle at the sheer absurdity of tossing a 5 year old hacker into prison, with recent cases such as the one of Aaron Swartz in mind it only bring a disillusioned smile to my lips.
On a side note, seriously Microsoft! that was one fucking cheap ass reward you came up with there, couple of games and a one year subscription. Do you actually want people to report bugs to you or do you want to encourage them to find a higher bidder, in this case an Indian street
Re:$300? (Score:4, Funny)
Re:$300? (Score:5, Interesting)
I found a flaw in skype that allowed the dumping of usernames from regional nodes. I could run it on multiple threads and dump literally as high as 2048 per second (never tried with more threads...) Finding the other regional nodes wasn't exactly difficult.
There are surprisingly dark uses for that ability.
They sent me an Xbox 360 (this was less than a week before the Xbox one launch) bundle (kinect), 2 games, an Xbox Live Card, and a researcher acknowledgement on Technet (same as this kid) for August of 2013..I'm one of the "individual" entries with no link.
I did get invited to bluehat as well which was absolutely incredible, but I paid for the flight, hotel (at a discounted rate, at the Westin, Seattle!), etc.
It was a f*cking awesome conference.
Skype isn't cover by their bug bounty program, so they said they had nothing they could do. I was pretty insistent that I really needed the money, because I really really needed the money. That was a brief period in my life of spam sandwiches and ramen.
I'm not complaining, but I am saying if something isn't covered by their bounty program you're not going to get money from it.
Re: (Score:2)
What were the details of the skype bug? I'm curious how you found it.
Re:$300? (Score:5, Interesting)
The last person who asked me that turned out to actually work with skype at bluehat. The whole team came over and THEN told me who they were -_-.
I was just looking for a table with people who weren't anti-social, and one of the people happened to work for skype. Very very friendly people by the way.
Basically I was trying to get into a friends machine (we were doing a mini CTF) and as a joke he gave me the IP to a skype regional node.
I fuzzed said regional node and started getting really weird responses. I was trying a port that was open (same port as oracle..7776 I think?) Eventually I figured out that an arbitrary 4 bytes would result in a response with a plaintext string at the bottom of the packet.
My first thought was that my friend was running a gameserver, botnet, chat room, or really just something..weird.
Eventually I figured out they were skype usernames. Complete accident that I stumbled upon it. I'm only mentioning the details here because A) Microsoft knows exactly how I found it B) It's patched.
I believe it would have actually have had use as a DDoS amplification platform. The responses sent back were 50-90x the size of the request.
They never told me why this worked. The first engineer I had talked to asked one of them if it was an edge case, and the other shook his head "no," and aaaalmost said what it was. Then he noticed I wasn't an MS employee and said he couldn't tell me that.
Re: (Score:3)
I actually submitted this story to slashdot, but it never got any comments, front page, etc.
Who? How? (Score:5, Insightful)
Who takes shortcuts for code when you're developing a damned password entry system? I mean... really? When the sole purpose of the code is security, who goes "oh, whatever, we'll just match against whatever?"
I mean, it's not like hashing or string comparison are hard problems.
Re:Who? How? (Score:4, Informative)
You'd be surprised. There's a LOT of bad security out there. Something this bad really takes the cake though.
Re:Who? How? (Score:5, Insightful)
You'd be surprised. There's a LOT of bad security out there.
Understatement of the day.
Some people would be shocked if they knew how many retailers offering free wifi don't change their router's login from default. I know I always am.
Re:Who? How? (Score:5, Funny)
Which makes me appreciate all the thought that Slashdot put into its security. For example, did you know if you accidentally type your own password into a comment, it stars it out for you? Example:
***********
Neat, huh?
Re:Who? How? (Score:4, Funny)
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:2)
Reminds me of that stupid urban legend about entering your pin at an ATM when under duress.. entering it backwards summons ze police.
What if your PIN is a palindrome?
Re: (Score:3)
Reminds me of that stupid urban legend about entering your pin at an ATM when under duress.. entering it backwards summons ze police.
What if your PIN is a palindrome?
Then you get your money and the police....
Re: (Score:2)
Re:Who? How? (Score:5, Funny)
> What if your PIN is a palindrome?
you enter "emordnilap a"
Re: (Score:3, Funny)
I don't know who could get this wrong or how you could get this wrong.
Does it work if you have the same number of characters?
len(input) == len(password)?
or?
input == password OR (len(input) == len(password) AND string_is_all_spaces(input))
You'd really have to go out of your way in a most bizarre manner to screw this up. I mean, this is like tell someone to make an omelette and they accidentally build a time-machine. What the heck were they doing here??
Re: (Score:2, Informative)
It's not that hard to do.
Basically could be
a) debug code for QA left in to bypass login
b) buffer overflow (off by one); and an exception thrown that was caught outside the password system; that exited back to the main run-time. ... rarely tested by QA.
Testing that your code can actually handle the maximum number of characters allowable by the input field, is
I've personally crashed websites that don't restrcit the form input length on the password field. Apparently putting in 4096 character passers does ten
Re: (Score:2)
I bet it's due to a single equals sign.
if (password_retry = account_password) {...
Re: (Score:2)
personally im a huge fan of the way powershell does it--
* Comparison: $num1 -eq $num2
* Assignment: $num1 = $num2
Re: (Score:2)
Not just PS, that's a common pattern in many scripting languages, especially shell scripts. Microsoft picked from the best (there's a number of bash-isms in Powershell, for example) when writing that thing.
The compiler really *should* complain about assignment in a test statement, because it's a really common error to make. Or you can remove that option entirely (make assignments valueless statements, in which case that's a syntax error and won't compile at all) but then A) you're forking the languages, and
Re: (Score:2, Insightful)
No! No NO! This is an _extremely_ bad habit! The code looks like crap, but most importantly: you're changing the logical flow of the code. You're changing the way the code explains itself to the reader, which makes it harder to understand. It's like spelling errors in professional texts: it interrupts the flow of the reader.
ALL compilers nowadays warn about the assignment pattern. Try doing "if (i = 1)" in gcc or clang, for example, they'll insist you use double parenthesis around the assignment to explicit
Re: (Score:3)
I wonder...
Either this is some developer/tester login thing.
Or the developer did something weird were he removed whitespace, and a "correct" match was found when the manipulated/tested string was length 0.
Re: (Score:2)
It almost has to be a deliberate backdoor for testing that someone forgot to take out. I can't imagine "Trim()ing as password. But then I couldn't have believed anyone would smash case on a password before I heard Blizzard did it. I guess there's nothing so stupid that we should rule it out.
Re: (Score:2)
But this is not a keyboard/computer password. Allowances are made for less effective input devices. If extra spaces are a common problem when using Xbox text input, no one would think twice about it. Also, it is possible they just did not allow whitespace in a password, so instead of a warning they just removed it at creation and use (so it would work even if they thought your password has a space in it).
Re: (Score:2)
All of which would be bugfuck insane from a security perspective, but after Bliz admitting their password are case insensitive, I'll believe anything.
Re: (Score:2)
My online banking passwords are case insensitive too. And both banks explicitly said it's intentional and they aren't changing it.
Then again, my Australian bank account is protected by a password which must be exactly 6 characters, case insensitive, and cannot contain special characters of any kind. Oh, and must be entered by clicking static buttons on the page.
Re: (Score:2)
But it only happens on the second attempt. That implies some state is being carried over. I find it hard to believe that even a drunken monkey could do that by accident.
Possibly... (Score:5, Informative)
... the matching algo checks for zero length strings *before* it strips out whitespace so lets this through. Once it has stripped out this whitespace it *then* has a zero length string but doesn't know it and then the rest of the algo fails due to it.
I'll bet it something stupid like:
hashed_pwd = strip(input_pwd);
for(*ptr = hashed_pwd;*ptr;++ptr) // Match
{
if (hash char doesnt match) return BAD;
}
return MATCH;
Re: (Score:2)
Re: (Score:2)
The people who are waiting for you to develop secure password login libraries.
Re: (Score:2)
who goes "oh, whatever, we'll just match against whatever?"
As someone else suggested it's probably debug code that found its way into production. It's not a lack of skill problem it's a process problem, code reviews should have picked it up but obviously didn't, how it got as far as customers is the question MS should be asking.
Re: (Score:2)
I'm quite curious as to what sort of shortcut they took. I can't picture any sort of code that might end up with an issue as particular as this one. :-/
Re: (Score:2, Informative)
They're the people who invented "press cancel to log in" for windows 95.
Which was fine. Win95 was intended as a single-user system with no local security. That login screen was for using network resources, and was irrelevant for local access.
And if you don't encrypt your drives, your modern OS is no more secure than Win95 to someone with physical access.
Re: (Score:2)
Physical access covers rather a large range of situations. There's "being able to touch it" at one end and "being able to take it back to your lair" at the other.
Re: (Score:2)
There's no difference in my house. Where Win95 earned the hatred of geeks everywhere was for corporate office use, and it took MS forever in internet years to figure out the markets were so different - not until Win2000 did they have a sane OS for the business desktop.
Prosecute the child and father! (Score:5, Funny)
Why is this criminal being celebrated rather than prosecuted for hacking into a protected computer system across state lines? The child is A FELON and must go to jail. The father acted as an accessory and should also be prosecuted.
Re: (Score:2)
If this were AT&T, the boy would be on his way to Gitmo by now.
But Microsoft, so ... wow, good for them. </icky>
Re: (Score:2)
Hey, man, it's not like this is Pakistan... [yahoo.com]
Re: (Score:2)
You forgot to mention terrorism. No candy for you.
Re: (Score:2)
Given that the kid is 5 and likely in Kindergarten, he could say "I've been finding bugs in software almost since before *I* was in school!"
Re:Prosecute the child and father! (Score:4, Insightful)
Makes me wonder if the kid is just an attention ploy the dad used...
Attach video in kid's 2026 college application (Score:2)
I bet every undergraduate CS Department in the country will want him. :p
Re:Attach video in kid's 2026 college application (Score:4, Insightful)
Generally agree.
I would however note that it's that curiosity to try stuff like this and that "what happens if I.." mindset that tends to make a good hacker. Yes this kid lucked out, but it's always encouraging when you see this kinda "poke holes in everything" behaviour early on.
Re: (Score:2)
I lucked out guessing a wifi password once. The neighbor's had put up a network and called it "harunyahya". I googled for it and came up with some wacky creationist conspiracy nut. One of the most common words on the site was 'truth'. So I used that as the password and got in on my first attempt.
A little bit research and a lot of luck. Pretty satisfying either way :)
A year? Seriously? (Score:4, Interesting)
Sucks to be a security professional... (Score:5, Funny)
Yeah, are you sick of that story of the Indian kid who got his CISSP at the age of 12? Well, here's a 5 year old with a published vulnerability!
Re: (Score:2)
That's nothing. I've discovered flaws using quantum random input fuzzing on URLs that amounted to keys pounded on by a six month old baby.
The trick is not to disclose who discovered the flaw and breeched the security unless the Computer Fraud and Abuse Act is in play. If they come down on you, just point them to the private youtube video of an infant breeching their security and tell them it's only a matter of time before the babe randomly clicks the "make this video public" button.
Re: (Score:2)
Gotta love Asian child labor laws.
What kind of code that do that? (Score:3)
Re: (Score:2)
Good question. I can't imagine the code that would generate this bug.
Re: (Score:3)
My guess is it's an algorithm that starts with the assumption that the password is correct until proven incorrect, and something in that algorithm is breaking, leaving the correct assumption to stand.
This is of course lazy programming, but not entirely uncommon.
Re:What kind of code that do that? (Score:5, Interesting)
That's not to say the backdoor was necessarily malicious. Maybe the guy in charge of the password login system was always breaking stuff and locking himself out of his box, so he put a bypass in there so he could get in an fix it, but forgot to remove it later. It's at best really sloppy.
Re: (Score:2)
It rather shows that Microsoft *still* does not review security-sensitive code properly. How this could have passed any code review is beyond me.
Either they are so incredibly sloppy and incompetent (do you really want to entrust them your credit card then?!) or this was intentional. I am not sure which one is actually worse ...
Re: (Score:2)
Returning a boolean for password good bad, when the API returns false/zero for no error and nonzero error code for error is plausible.
MSDN is full of API documentation where the return value is counter intuitive, until you really consider the intent of the operation. So it is not outside the realm of possibility. I have had such problems myself using win32.
I actually debugged code where my C# sample was converted to vb, and the return value of ValidateCredentials was checked incorrectly after the conversion
Re: (Score:2)
Yeah, and keep count of which attempt number it is, and only do that if it's 2 (or 1 if you use C).
Broken by a 5 year old... (Score:2)
What caused it? (Score:2, Interesting)
Apparently by entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account.
That's interesting. Let's speculate a bit about the bug.
Do you have any theories how the login part of the Xbox One software was programmed which caused it to behave like that?
Re: (Score:2)
What is this "second password verification screen"? Was it secondary identification questions (like mother's maiden name) or the same password again? I don't have an Xbox, so I have no idea what that means.
Re: (Score:2)
Default allow. Other possibilities, but this seems most probable.
Valid = true
Trim
For each character
If mismatch, valid is false
Given ac reply, they may be using a forgiving algo because it is not an actual password. I get irritated at security questions like favorite author, because did I enter first name, initial, or just surname? I'm curious if it can be bypassed using substrings as well.
I would not be surprised to find a forgiving check being financially more favorable than support calls.
"Security" that can be broken by a 5 years old ... (Score:2)
Fortunately the 5 years olds are easily bribed by a few games and an ice cream before they try to hack something more dangerous.
This sort of issue really instills a lot of confidence in the quality of that system *facepalm*.
My kid broke pepsi.com (Score:3, Interesting)
Posting anonymous because I'm still afraid that pepsi goons will break down my door any minute now.
Quite a few years ago, I found that sombody had shown my preschooler that you could enter code numbers from inside the caps of pepsi products to get "free" merch.
He just started entering random numbers and characters until he found a pattern that worked every time. He thought that was the point! He spent hours at it and then proudly showed me that he'd "solved the puzzle" and Pepsi was going to send him truckloads of free stuff.
I quickly popped through a couple DHCPs on the cable modem and told him not to do that anymore.
How? (Score:2)
How in God's green tarnation does somebody manage to produce a bug like that?
Re: (Score:2)
There's a post above by user Viol8 that gives a pretty plausible explanation.
forgot rule 12 of evil overlords (Score:5, Funny)
I guess their team of advisors is incomplete:
http://www.eviloverlord.com/li... [eviloverlord.com]
"12. One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation."
And:
"60. My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords."
Perhaps Microsoft doesn't consider itself evil? Lots of people no longer do. At least they followed rule 32 in this case.
Microsoft takes security very seriously (Score:2)
Microsoft fixed it, didn't they?
Microsoft takes security seriously.
(Hey, stop it. Stop laughing. Hey, I said STOP LAUGHING!)
Another reason to use Git. (Score:2)
I have a "backdoor" branch on some of my git repos. After I merge the working branch into "master" I merge "master" into "backdoor". This allows me to keep backdoors out of the public distributable / viewable code which makes it into releases. The ease of in-place branch and merge in Git is one of its greatest strengths IMO. Even if I accidentally push the "backdoor" code to the public build system, it builds from a "main" branch and doesn't introduce the testing backdoors into the binaries.
Re: (Score:2)
This is more easily handled in Mercurial's queues system. You can keep a bunch of patches in a queue like that, and those patches will just be magically applied. It's pretty useful for a whole lot of situations.
Surprising... (Score:2)
...but they were gracious about it. Microsoft surprise!
Found by a 5-year old (Score:2)
That right there should be a serious warning to anyone using or considering Microsoft products.
He's done it before. (Score:2)
From TFA:
Screw the games (Score:2)
That entry on the list is worth more than them combined. Just think when li'l Krissy is looking for a job in ITSEC two decades from now and when asked for "how long he's been in the business", he'll be the first person in history to be able to fulfill the usual "no older than 25 with at least 20 years of experience" requirement.
Why kids find bugs (Score:2)
A child will find bugs than an adult will miss, because an adult will only do reasonable things, while kids will try things that don't really make sense. Developers sometimes use little programs that just click things at random to try to catch these kinds of weird bugs, sometimes called "monkey testing."
Re: (Score:3, Insightful)
OK, So they have learned about Jack in these last 16 years... but they are still having some trouble with Shit.
Re: (Score:3, Funny)
You have that backwards. M$ has always known about shit. Just look at their products.
Re: (Score:2)
I was going to say... didn't win98 have a similar issue. Make two log in attempts with a password and on the third leave the password field blank or something like that?
Re: (Score:2)
Re: (Score:2, Flamebait)
Balmy and less authoritarian.
Balmer, and less authoritarian.
There, FTFY.
Re: (Score:3, Insightful)
> Hello, you appear to be new to Slashdot
"For discovering a multi-million dollar bug that would have required us to shut everything down until fixed, and probably reverted our databases by several days, you get almost nothing! Good day, sir!"
"Wut?"
"I said 'Good day, sir!' !"
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)