
5-year-old Ocean Beach boy exposes Microsoft Xbox vulnerability - dan1234
http://www.10news.com/news/5-year-old-ocean-beach-exposes-microsoft-xbox-vulnerability
======
dredmorbius
NB: what is it about small and local news sites, usually TV stations, but also
newspapers and such, which cannot __* CLEARLY __* indicate _where_ in the
world they are?

"Ocean Beach" is a pleasantly anonymous place name (I can think of several
neighborhoods matching this, the U.S. Gazetteer of Places identifies it as
Ocean Beach, NY), affording very little by way of actual location.

In an age before widespread Internet use, I experienced similar frustrations
while listening to clear channel AM radio broadcasts in the back country. It
wasn't uncommon to pull in strong signals from hundreds to a thousand miles
away. And while there's something delightfully surreal in listening to the
mundania of local traffic and news reports, if you happen to be in a
wilderness location trying to find a reliable weather forecast, "area
conditions" doesn't do much for you.

~~~
atacrawl
Completely agree. "Where are you?" is _basic_ information when location is at
all relevant, and site designers frequently make the false assumption that
every visitor is a local who knows exactly what you meant.

And it's not just news sites -- I once made a service reservation at a Toyota
dealership in another state because it had the same name as the one I wanted
and no indication of where it was in any global assets (it was buried on a
"directions" page).

~~~
CocaKoala
How did you make the service reservation? There wasn't a phone number with
area code prominently displayed anywhere?

~~~
atacrawl
Good question: I was new to the Chicagoland area at the time and chalked it up
to not being aware of what all the area codes were.

------
chanced
"At age 1, Kristoffer got past the toddler lock screen on a cell phone by
holding down the home key."

Not to be "that guy" or anything but I suspect it is pretty normal for a child
to hold down a button.

First, what kind of lousy lock wouldn't safeguard against, what was likely
either the only or one of a few buttons, being held down?

Second, sounds like proud father has made at least a few false connections. He
is a geeky equivalent of a creationist museum tourist.

------
peterwwillis
Wow. This is the mavis beacon typing tutor hack.

Years ago (jesus, has it been 15 years?), I was in computer class on the old
Macintoshes they had with Mavis Beacon Typing Tutor. We were supposed to type
out the sentences we read to increase our typing speed, and learn the home
row. I hated home row, and insisted that hunt-and-peck was more comfortable
for me. But the teacher was adamant I use home row only, which was annoying. I
was also not very fast at either form of typing.

I discovered by accident that if I hit the spacebar for each letter in each
word, the program interpreted it as a successful spelling. All I had to do was
keep typing the spacebar to complete the words. So i'd put my fingers on the
home row, moving my fingers up and down, and pressing the spacebar with my
thumb. I got 120 words per minute.

~~~
72deluxe
Haha that's stupid. Did the program not bother checking to see what the
keycodes were? Did it have just a function OnKeyPress that incremented the
counter?

Laziness! Why do I bother writing decent software when there's so much junk
floating around that people BUY?

~~~
pervycreeper
>Why do I bother writing decent software when there's so much junk floating
around that people BUY?

Assuming it's free software, that question answers itself.

~~~
vxNsr
Mavis Beacon? They charged schools an arm and a leg for that back in the day.

------
quackerhacker
So I told this story to my wife, because at first I was a little envious
(wishing my boy did this)...then her being the devil's advocate made me
realize something...if a 5-year-old can bypass Xbox's verification by
_pressing space keys and enter_ then it says volumes about Xbox's verification
checks.

Who was sleeping at the wheel when Xbox didn't add empty strings to password
verification checks?

------
67726e
Maybe I'm just cynical, but given that the father is a security researcher,
does anyone else think that he himself found the vulnerability but concocted
the story to get some free press?

~~~
Gracana
You don't have to be a security researcher to type stuff into a password box
and try it out. It doesn't seem so far-fetched to me.

~~~
stephengillie
So this is like junior astronomers getting credit for finding planets with
telescopes designed and funded by senior astronomers?

~~~
scott_karana
Except that it's an off-the-shelf Xbox One. Any of his friends could have
hypothetically found the vulnerability.

------
kmfrk
On another note, the whitehat bounty seems ridiculously low, if we're to take
him as a peer:

    
    
        Kristoffer will receive four games, $50 and a year-long
        subscription to Xbox Live from Microsoft.

------
quux
As I read the article I kept expecting the part where he was suspended from
school for the rest of the semester for breaking the school's zero tolerance
policy on "cyber attacks" or something.

------
yincrash
It's really refreshing to see a family embrace their son's inventiveness and
tenacity rather than reprimand the kid for breaking past the parental controls

~~~
theandrewbailey
It's really refreshing to see a company embrace their customer's inventiveness
and tenacity rather than suing them for breaking their products.

~~~
rbanffy
It's really refreshing to see a company that sets their security bar so low
that even a small kid can get a kick out of discovering a security
vulnerability. This could be the start of a long and rewarding career, ;-)

~~~
giantrobothead
It's really refreshing to hold Ctrl-R and see what new comments slide into
place.

------
samelawrence
Is it just me, or should they have given him more than $120 for exposing this
major flaw?

~~~
watty
It may have just been a way to get into local accounts, which I wouldn't
consider "major". Also four games, one year of live, and $50 is more than
$120.

~~~
ampersandy
If Microsoft's entire child-security protections don't work; I'd say that's
fairly major. What might have been a very compelling feature for parents has
been shown to be ineffective (if your kids know about the vulnerability, which
for young children is admittedly unlikely).

They paid him at all, which is good, but it also shows that there's no reason
they couldn't have authorized a bigger payout. It's still, at most, $350. Why
not free Xbox Gold for life instead of one year? There's no cost to Microsoft.

------
ilbe
Spaces, really? Can someone speculate what might be happening under the hood?

~~~
binarymax
It was noted as a backdoor. Presumably that means it was purposefully
programmed in for testing (and possibly even production), and made its way
into the delivered software. So the under-the-hood speculation being a simple
if statement allowing for all-space passwords to grant access.

~~~
lostInTheWoods3
Sounds more like a bug than a backdoor. I would think spaces aren't an allowed
character. Likely their validation regex didn't expect a series of spaces, and
this edge case not being caught, somehow allows access.

~~~
markbnj
Developers put these kinds of bypasses into login code quite frequently. When
you're testing and fixing bugs typing in a password over and over gets old. As
the poster above noted, the code is usually surrounded by conditional
compilation directives, or otherwise marked as not being permissible in a
production build.

------
zemo
what level of crime is this? Does this count as computer trespass in NY? If
so, that's a class E felony.

    
    
      § 156.10 Computer trespass.
        A person is guilty of computer trespass when he or she knowingly uses,
      causes to be used, or accesses a computer, computer service, or computer
      network without authorization and:
        1.  he or she does so with an intent to commit or attempt to commit or
      further the commission of any felony; or
        2. he or she thereby knowingly gains access to computer material.
        Computer trespass is a class E felony.
    

[http://public.leginfo.state.ny.us/LAWSSEAF.cgi?QUERYTYPE=LAW...](http://public.leginfo.state.ny.us/LAWSSEAF.cgi?QUERYTYPE=LAWS+&QUERYDATA=$$PEN156.10$$@TXPEN0156.10+&LIST=LAW+&BROWSER=BROWSER+&TOKEN=03545439+&TARGET=VIEW)

~~~
dkrich
Well, first the father would have to press charges against his 5-year-old son.
Probably not likely, and, eh, I just can't.

~~~
h4pless
I'm not sure about New York but in many states, the victim has no say whether
or not charges are pressed against the defendant. It's usually at the sole
discretion of the District Attorney.

That being said, this is hardly a triable case as the defendant is 5 years
old. The DA would have to prove that the kid knew what he was doing enough to
have the culpability to commit a crime, then they would have to convince a
jury of adults that a kid should face criminal consequences for hacking his
dad's xbox account.

------
vectorpush
Look out homakov. :)

------
crystalmace
Oh sure. When he bypasses child locks he gets rewarded by his parents and
Microsoft. When I bypassed child locks and parental controls when I was
younger, I got in trouble and my computer taken away. :D

------
elwell
This is indicative of disorganized program structure. Form validation
shouldn't be unique to separate forms; they should all be piped through the
same place, where validation is done.

------
Aardwolf
When I was 5 years old all I could do was sort Duplo blocks by color, and I
don't even have a memory of it :(. I get sort of jealous if I see how smart
small kids can be.

------
SwiftCeipt
I don't think its that surprising, kids have all the time in the world. When I
was a kid I worked on cracking the Fridge lock.. Perhaps my time was poorly
spent.

------
Evolved
If you scroll down to the bottom where it says "Trending Now" all of the
headlines (including this one) state 10news.com KGTV ABC San Diego.

------
S4M
Seriously, is this true or a late April's fool?

~~~
raptorious
This was my first thought also. But his name is actually on the list of
security researchers (or someone who has the same name of course ;).
[http://technet.microsoft.com/en-
us/security/cc308589.aspx](http://technet.microsoft.com/en-
us/security/cc308589.aspx)

------
snorkel
Sennnsatioonal!!!

> At age 1, Kristoffer got past the toddler lock screen on a cell phone by
> holding down the home key.

... uh ... pretty sure because that's because he watched his father doing in
order to use the phone.

------
elwell
“I was like yea!”

------
jdorfman
fucking awesome

------
gygygy
Why do I get the feeling someone is trying to say that a xBox could even be
hacked a 5 year old. I smell something fishy. :p

