Xbox Live Password Vulnerability Found By 5 Year Old

What do you do when a five year old finds a security loophole in a network containing well over 50 million users? That’s the question that Microsoft was faced with last month.

The World’s Most Basic Password Vulnerability



The five year old boy, Kristoffer, discovered what may be the most basic password vulnerability yet. It’s right up there with being able to just input no password or write ‘password’ and still get in. Except, this password bypass technique is actually real!

Well, it was…Microsoft obviously patched it once Kristoffer brought it to their attention.

So, what’s the vulnerability that he found?

Kristoffer’s Story

Well, he was trying to hack into his father’s account so he could play games that he did not have direct access to – games that he was not allowed to play. He tried to guess the password, but no luck. However, the incorrect password prompted a password verification window. All he had to do from here was use the space button and press enter, and all of a sudden he gained access to his father’s account.

Interestingly enough, his father actually works in the field of computer security. When the story hit the press, he said that it wasn’t his son’s first time finding a vulnerability – he discovered how to bypass the toddler lock on his cell phone by holding the home key, at the age of one!

Of course, there will be conspiracies that his father actually discovered the vulnerability considering he works in computer security. A sort of ‘alibi’ to back up that his son found the vulnerability comes through the commentary on how they found out that he accessed the account. Shortly after Christmas, it was noticed that his (the father’s) account was logged in even though he was not at his console. This raised concern as he thought his console was stolen, but it was still at home when he got home – so he probed his son about it and found out that he bypassed his password to play some games that he wasn’t supposed to. The entire story was aired on 10 News.

How Serious Was The Vulnerability?

This is the scary part – the vulnerability was not a fluke, it was completely real. All he had to do was get to the password verification screen and then hit the space key a bunch of times and press enter. There is no mentioning of how many users this bug affected, but it was true and verified by Microsoft.

One interesting point is that the update only rolled out for the Xbox One, which supports the belief that it only affected Xbox One users. Makes sense, a vulnerability such as this would have gone noticed much sooner if it affected the Xbox 360 console as well.

It is also interesting to point out that the vulnerability worked by hitting the space key until you cannot enter it anymore and then pressing enter. This was demonstrated by Kristoffer’s father as he provided the instructions for him to take advantage of the vulnerability in the same way that his son did.

The Xbox One has proven to be problematic since its release date. Immediate system updates were required to ensure that the new console owners were able to properly enjoy their gaming system. There are still some major flaws with the console, but they are gradually getting patched.

This particular vulnerability just goes to show that there are likely many other issues that have yet to be found – if this is one of the simpler problems, just imagine the more complex issues that are hiding under the surface.

What Did Kristoffer Get For His Discovery?

He thought he was going to get punished by his father, but all he got was praise. Plus some presents from Microsoft!

He received $50 in cash, a one year subscription to Xbox Live (hack free!), and four video games. Possibly more valuable was his recognition as a ‘security researcher’ for Microsoft Online Services. This is a title that has been rewarded to many individuals and businesses, but most are much older and more experienced with discovering security vulnerabilities.

Kristoffer was obviously happy for the rewards that he received for discovering the vulnerability. However, he was most excited for the fact that he was recognized as one of Microsoft’s security researches – and he should be. After all, how cool is it to say that you played a role in the security of Microsoft’s coolest product? Oh, not to mention that it will make for a great accomplishment to list on his resume many years down the road!

He now wants to be a gamer when he grows up. Although it seems that he has that accomplished. So hopefully he starts to head down the road that his father hopes, which is something more geared towards computer security. Like father, like son, as he has proven to be with this incredible accomplishment.