5 year old boy finds Xbox security flaw.

[Jodell88]

The boy worked out that entering the wrong password into the log-in screen would bring up a second password verification screen.
Kristoffer discovered that if he simply pressed the space bar to fill up the password field, the system would let him in to his dad's account.
"I got nervous. I thought he was going to find out," Kristoffer told television station, KGTV.
"I thought someone was going to steal the Xbox."

http://www.bbc.com/news/technology-26879185

 

[purbeast0]

haha that is hilarious and pretty sad/pathetic.

inb4 consolewar

 

[Jaepheth]

NSA probably asked Microsoft for a backdoor, assuring them no one but them would ever know it existed.

 

[kranky]

I'm trying to imagine how you would accidentally code something that would reject "wrong" passwords (presumably by comparing to the "right" one in some fashion) but somehow treat all spaces as the correct password. Seems like you'd have to intentionally code for that situation that to work.

 

[Markbnj]

I'm trying to imagine how you would accidentally code something that would reject "wrong" passwords (presumably by comparing to the "right" one in some fashion) but somehow treat all spaces as the correct password. Seems like you'd have to intentionally code for that situation that to work.

Things like this are often "back doors" put in by devs to make it easier to log in and do something.

If you look at the code it will probably have this above it:

/* REMOVE */

 

[blackdogdeek]

I'm trying to imagine how you would accidentally code something that would reject "wrong" passwords (presumably by comparing to the "right" one in some fashion) but somehow treat all spaces as the correct password. Seems like you'd have to intentionally code for that situation that to work.

You would have to be pretty dense to do this but (in pseudo-code):

if ($realPassword patternMatches (stripWhitespace($attemptedPassword))){
acceptPassword();
}

This will work for any whitespace value for $attemptedPassword. But, as I said, you'd have to be pretty dense to do this.

 

[Ns1]

If you look at the code it will probably have this above it:

/* REMOVE */

Seems likely.

 

[Red Squirrel]

Hahaha that is hilarious! I'm thinking it's probably something that strips white spaces or something, but then, it would just be like entering a blank password so it should still not work, unless the dad's password was blank? lol.

 

[blake0812]

Doesn't seem so hard, given that 5 year olds are majority of the fanbase :biggrin:

 

[Platypus]

as someone who works in security, this is really actually more common than you'd want to think, but still incredibly ridiculous for a company like microsoft nonetheless.

 

[mikeymikec]

Next news story: 5 year old banned from the XBox network for life as well as blacklisted from future IT job opportunities.

 

[Platypus]

Next news story: 5 year old banned from the XBox network for life as well as blacklisted from future IT job opportunities.

If you read the article they actually hooked him up with a slew of free games and put him on their security list. As hilarious as gaff this is to Microsoft, they handled it with class.

 

[halik]

You would have to be pretty dense to do this but (in pseudo-code):

if ($realPassword patternMatches (stripWhitespace($attemptedPassword))){
acceptPassword();
}

This will work for any whitespace value for $attemptedPassword. But, as I said, you'd have to be pretty dense to do this.

Err how patternMatches work on an empty string ? (

 

[blackdogdeek]

Err how patternMatches work on an empty string ? (

At least in perl, empty string matches everything.

$password = "test";
$attempt = "";

if ($password =~ /$attempt/){
        print "true\n";
} else {
        print "false\n";
}

returns true

 

[Kaido]

as someone who works in security, this is really actually more common than you'd want to think, but still incredibly ridiculous for a company like microsoft nonetheless.

http://nakedsecurity.sophos.com/201...ch-code-for-us-nuclear-missiles-was-00000000/