Five-Year-Old Uncovers Xbox One Login Flaw 196
New submitter Smiffa2001 writes: "The BBC reports that five-year-old Kristoffer Von Hassel from San Diego has uncovered a (frankly embarrassing) security flaw within the Xbox One login screen. Apparently by entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account. Young Kristoffer's dad submitted the flaw to Microsoft — who have patched the flaw — and have generously provided four free games, $50, a year-long subscription to Xbox Live and an entry on their list of Security Researcher Acknowledgments."
Re:Who? How? (Score:4, Informative)
You'd be surprised. There's a LOT of bad security out there. Something this bad really takes the cake though.
Re:$300? (Score:5, Informative)
To put it in perspective, that $100K was for bypassing exploit mitigation features that cross all processes on the system, and would severely undermine Windows 8.1's security features. This one seems to require you to be standing in front of a specific console.
Still, what a stupid bug to have.
Possibly... (Score:5, Informative)
... the matching algo checks for zero length strings *before* it strips out whitespace so lets this through. Once it has stripped out this whitespace it *then* has a zero length string but doesn't know it and then the rest of the algo fails due to it.
I'll bet it something stupid like:
hashed_pwd = strip(input_pwd);
for(*ptr = hashed_pwd;*ptr;++ptr) // Match
{
if (hash char doesnt match) return BAD;
}
return MATCH;
Re:Who? How? (Score:2, Informative)
They're the people who invented "press cancel to log in" for windows 95.
Which was fine. Win95 was intended as a single-user system with no local security. That login screen was for using network resources, and was irrelevant for local access.
And if you don't encrypt your drives, your modern OS is no more secure than Win95 to someone with physical access.
Re:Who? How? (Score:2, Informative)
It's not that hard to do.
Basically could be
a) debug code for QA left in to bypass login
b) buffer overflow (off by one); and an exception thrown that was caught outside the password system; that exited back to the main run-time. ... rarely tested by QA.
Testing that your code can actually handle the maximum number of characters allowable by the input field, is
I've personally crashed websites that don't restrcit the form input length on the password field. Apparently putting in 4096 character passers does tend to cause issues on -many- sites.
c) Other logic errors:
You explicitly forbid empty password from entry.
Some process internally does a trim($b)
Password process throws an unhandled exception case due to using an empty string; or null value returned from the password hashing; validation, oro assocated sub layer.
Maximum length exceeded (-1) combined with a trimmed length of 0; can cause issues if an assumption of "the password cannot be empty at this point" was inadertantly violated.
You code each layer with the assumption of where the data came from, and whether it's been validated or rejected at a higher layer. Something slipping by causes lots of strange, and subtle bugs.