Industry News

How a five-year-old hacked his dad’s Xbox One, only to be rewarded by Microsoft [VIDEO]

A 5-year-old boy has found a serious and easily exploited security vulnerability in Microsoft’s Xbox One games console, that allows unauthorised parties to log into Xbox Live accounts without the correct password.

Kristoffer Von Hassel wanted to play games that he wasn’t supposed to, but needed to crack into his father’s Xbox Live account to do it.

So, this is what the pint-sized wannabe penetration tester did:

Firstly, Kristoffer would attempt to log into his dad’s account, but would enter an incorrect password into the Xbox Live. That much was easy, after all he didn’t know his father’s password.

But then, at a second verification screen, the youngster discovered that simply entering multiple spaces would grant access to the account.

Now he could access any games he wanted on his parents’ Xbox One, including inappropriate choices such as the violent first-person shooter Call of Duty.

Kristoffer, from Ocean Beach in San Diego, California, clearly loves his video games – but he appears to have a good knack for finding security holes too.

You can see Kristoffer in action in the following news report:

Entering lots of spaces into a password field? Hmm. That sounds like the kind of unusual input (rather like entering no password at all) which should have been tested by Microsoft.

Microsoft has recognised Kristoffer’s responsible disclosure of the security flaw on its website, where his name appears on a long list of other vulnerability researchers who have found flaws in the company’s online services.

In a statement issued by Microsoft, the software giant explained that the security hole was now patched.

“We’re always listening to our customers and thank them for bringing issues to our attention. We take security seriously at Xbox and fixed the issue as soon as we learned about it.”

As a way of a thank you, Microsoft sent Kristoffer four free games, $50, and a year’s subscription to Xbox Live Gold. Wow, Microsoft’s generosity really knows no bounds.

(Mind you, I suppose it’s better than when Yahoo offered researchers a $12.50 t-shirt for finding security flaws on its site).

Although the media has had a lot of fun talking up the “leet” skills of this five-year-old boy, there is a serious point here.

Microsoft has demonstrated that it had weak password security on the Xbox One. In fact, it was literally child’s play to uncover just how sloppy the Seattle engineers had been.

If it was possible for such a simple security flaw to exist in the Xbox One, potentially granting hackers access to Xbox Live accounts, who knows what other Microsoft online systems might also suffer from similar serious issues and offer backdoor access to third parties?

As more and more household devices become connected to the internet, it is essential that vendors treat security as a matter of a priority.

The risk is that manufacturers of internet fridges, home control systems and videogame consoles may not live and breathe security, and expose consumers to threats as a result.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.