Five-Year-Old Uncovers Xbox One Login Flaw 196
New submitter Smiffa2001 writes: "The BBC reports that five-year-old Kristoffer Von Hassel from San Diego has uncovered a (frankly embarrassing) security flaw within the Xbox One login screen. Apparently by entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account. Young Kristoffer's dad submitted the flaw to Microsoft — who have patched the flaw — and have generously provided four free games, $50, a year-long subscription to Xbox Live and an entry on their list of Security Researcher Acknowledgments."
$300? (Score:5, Insightful)
What does that come out to, about $300 for a severe bug? I thought Microsoft just paid out $100k for a Windows 8 flaw.
Who? How? (Score:5, Insightful)
Who takes shortcuts for code when you're developing a damned password entry system? I mean... really? When the sole purpose of the code is security, who goes "oh, whatever, we'll just match against whatever?"
I mean, it's not like hashing or string comparison are hard problems.
Re:$300? (Score:3, Insightful)
Re:Fuck M$ (Score:3, Insightful)
OK, So they have learned about Jack in these last 16 years... but they are still having some trouble with Shit.
Re:Who? How? (Score:5, Insightful)
You'd be surprised. There's a LOT of bad security out there.
Understatement of the day.
Some people would be shocked if they knew how many retailers offering free wifi don't change their router's login from default. I know I always am.
Re:Attach video in kid's 2026 college application (Score:4, Insightful)
Generally agree.
I would however note that it's that curiosity to try stuff like this and that "what happens if I.." mindset that tends to make a good hacker. Yes this kid lucked out, but it's always encouraging when you see this kinda "poke holes in everything" behaviour early on.
Re:Prosecute the child and father! (Score:4, Insightful)
Makes me wonder if the kid is just an attention ploy the dad used...
Re:$300? (Score:4, Insightful)
"Filling out a text field with spaces" isn't something that usually gets tested. I can only imagine what kind of code flaw would cause this to work, but not some other set of characters.
Re:Fuck M$ (Score:3, Insightful)
> Hello, you appear to be new to Slashdot
"For discovering a multi-million dollar bug that would have required us to shut everything down until fixed, and probably reverted our databases by several days, you get almost nothing! Good day, sir!"
"Wut?"
"I said 'Good day, sir!' !"
Re:$300? (Score:4, Insightful)
Which is why peer reviews of code changes are conducted at many places these days.
Re:Who? How? (Score:2, Insightful)
No! No NO! This is an _extremely_ bad habit! The code looks like crap, but most importantly: you're changing the logical flow of the code. You're changing the way the code explains itself to the reader, which makes it harder to understand. It's like spelling errors in professional texts: it interrupts the flow of the reader.
ALL compilers nowadays warn about the assignment pattern. Try doing "if (i = 1)" in gcc or clang, for example, they'll insist you use double parenthesis around the assignment to explicitly tell it you're really not just missing an equals sign.
For the love of neat code and all that is holy, please drop this extremely annoying "if (constant == variable)" pattern!