85 comments

[ 2.4 ms ] story [ 69.8 ms ] thread
Wow. I'm so completely amazed by his technical expertise. :|
Is it just me, or should they have given him more than $120 for exposing this major flaw?
I was thinking the same. If you value a video game at $50, it comes closer to $300 but that still seems paltry for a vulnerability that seems to give full access (from the console at least) to a user's account.
Except those games won't resell at that price. In the end it's less expensive for MS but I suppose it would satisfy a young gamer. As an adult I wouldn't like to be paid in games or in on-line subscriptions.
I'm sure if MS hired you as a security researcher they would pay you better.
It may have just been a way to get into local accounts, which I wouldn't consider "major". Also four games, one year of live, and $50 is more than $120.
If Microsoft's entire child-security protections don't work; I'd say that's fairly major. What might have been a very compelling feature for parents has been shown to be ineffective (if your kids know about the vulnerability, which for young children is admittedly unlikely).

They paid him at all, which is good, but it also shows that there's no reason they couldn't have authorized a bigger payout. It's still, at most, $350. Why not free Xbox Gold for life instead of one year? There's no cost to Microsoft.

Why are the obligated to give something out for finding a flaw?
There's no obligation, it works as a deterrent for publishing the vulnerability to potentially bad people. Many tech companies now offer a reward for submitting vulnerabilities, it's more often than not cheaper than being exposed.
Spaces, really? Can someone speculate what might be happening under the hood?
It was noted as a backdoor. Presumably that means it was purposefully programmed in for testing (and possibly even production), and made its way into the delivered software. So the under-the-hood speculation being a simple if statement allowing for all-space passwords to grant access.
That was the first thing that came to mind, too. It isn't unusual to program in a shortcut like that for the QA team. It just looks like it was missed when they rolled that code out.

It just goes to show (if my assumption is correct) that it's worth NOT adding in those efficiencies, when possible, because of situations just like this one.

No, that's why you tie that kind of code to a compiler flag.
I feel kind of dumb for asking this, but how do you do that?
It can be as simple as:

    #ifdef DEBUG
    ... code ...
    #endif
(comment deleted)
In C and C-derived languages, the C preprocessor can do some work on its own before anything ever hits the compiler. You can put a block of code like:

    #ifdef DEBUG
    if (pw == "backdoor")
      return true;
    #endif
And then when you want to have your backdoor active, just #define DEBUG somewhere upstream. That way, the backdoor code will never even be compiled in a non-debug program.
Depends on the language/compiler/linker/preprocessor/interpreter/etc.

I'm not really a C developer, but since it's a lingua franca, GCC lets you pass in -D (name), which will define that passed in as a macro, letting you do stuff like

  #ifdef DEBUG
  //Do debug stuff
  #endif
so that if you run gcc with -DDEBUG, you will have DEBUG defined and set to 1 (you can also do DEBUG=val and similar I believe), and if you don't, it will be removed.

Java, I don't believe javac has a similar compiler mechanism; you either need a hardcoded global value in the source code

  public static final boolean DEBUG = true;
and you can do similar

  if DEBUG { (...) }
and then for your prod compile you set DEBUG to false and recompile everything; or, you can swap out implementations of a particular class, and have everything code to the interface (all that typical Java IoC dependency injection joy).

For any other language, consult your documentation. If there's nothing else, and the language allows you to pass in arguments into the runtime executable, you could always do something really ungainly like accept an argument for 'environment', and have code that executes differently based on that. It's a minimal cost (since any given run will lead to that particular switch always executing the same way, I'd wager your CPUs branch prediction is going to effectively make it free, but even if it doesn't, it's minimal impact), and it lets you execute the code differently based on what environment you specify you're in.

(comment deleted)
The article mentions the field was for a verification password; would Microsoft really admit that they'd implemented such a backdoor (a very strange one at that)?

To me it seems more plausible that the verification answer was a series of spaces. Perhaps the bounty was paid for noticing insecure verification answers weren't rejected?

Sounds more like a bug than a backdoor. I would think spaces aren't an allowed character. Likely their validation regex didn't expect a series of spaces, and this edge case not being caught, somehow allows access.
Developers put these kinds of bypasses into login code quite frequently. When you're testing and fixing bugs typing in a password over and over gets old. As the poster above noted, the code is usually surrounded by conditional compilation directives, or otherwise marked as not being permissible in a production build.
That's how it was reported, but given the rest of the article, I suspect that isn't a technical term.

Really the whole thing reminds me about how I used to break the parental locks on my TV as a kid. I doubt this kid was the first to discover this, but probably because of the work his father does, they were able to make the right right calls and send the right emails.

Not sure, but I had a similar bug once due to a trim() combined with an out-of-order string length check. But that would imply that Xbox Live does not allow passwords with spaces or something.
Maybe leading and/or trailing spaces.

Conjecture here, but maybe the code checks the length as greater than 0, and then trims the string. Depending on how the string comparison is performed, that empty string might pass.

This can't be the Xbox Live account password, because surely that is sending hashes over the wire and not plaintext. Maybe the parental controls don't have the same kind of security, but I don't know that it is needed.

Why do I get the feeling someone is trying to say that a xBox could even be hacked a 5 year old. I smell something fishy. :p
(comment deleted)
NB: what is it about small and local news sites, usually TV stations, but also newspapers and such, which cannot * CLEARLY * indicate where in the world they are?

"Ocean Beach" is a pleasantly anonymous place name (I can think of several neighborhoods matching this, the U.S. Gazetteer of Places identifies it as Ocean Beach, NY), affording very little by way of actual location.

In an age before widespread Internet use, I experienced similar frustrations while listening to clear channel AM radio broadcasts in the back country. It wasn't uncommon to pull in strong signals from hundreds to a thousand miles away. And while there's something delightfully surreal in listening to the mundania of local traffic and news reports, if you happen to be in a wilderness location trying to find a reliable weather forecast, "area conditions" doesn't do much for you.

http://en.wikipedia.org/wiki/KGTV San Diego, California
I'm aware that I can look up broadcasters' call letters, but that really shouldn't be necessary.

Why cannot KGTV note * ON ITS WEBSITE * its geographic affiliation.

Worse is when you run into a newspaper site which flat-out refuses to ID its locale. Where the hell is, without looking it up, the Springfield News-Leader?

(The only hint on the publication's website is its weather forecast).

It's a * WORLD * wide web, folks. Start acting like it.

> It's a * WORLD * wide web, folks. Start acting like it.

But they're not a worldwide news service, they are a local one. Why are they obligated to cater to people who don't live in the area they service?

At least some place on their site, they might acknowledge what state they are in.
Maybe I'm old-fashioned, but I remember when news stories would carry a dateline providing this information.

On many sites (including large ones), there's not even a date offered.

Because we are the internet and they owe us everything.
"Where are you" and "is the relevant" to me isn't "everything" by a long shot.

Truth is: someone can stumble across a website from literally anywhere on the planet. For those who are in your neighborhood, indicating that you are relevant is useful. Likewise for those who aren't.

> Why cannot KGTV note * ON ITS WEBSITE * its geographic affiliation.

They do. Click the "10news" icon, and look at the titlebar.

I've noticed the same thing, and I can't figure out why they do it. You can usually get hints about where they are by the advertisers they have, or in the case of TV or radio stations, by looking up their call letters on wikipedia: http://en.wikipedia.org/wiki/KGTV

FYI, Ocean Beach in this case isn't even a town, it's a neighborhood in San Diego, CA. Ocean Beach, NY is a beach town with very, very few permanent residents because it's only accessible by ferry or bicycle.

I don't mind a local news channel using local references in headlines, but it would have been nice for the submission title to be modified accordingly.
A local news outlet in the town of Springfield doesn't typically need to place the town name in absolute terms. The locals know what they mean. Springfield is the place (right here) that they all know and love.

The onus falls on national/international news outlets to make those clarifications when necessary.

Also, for accurate weather, you should tune your radio accordingly:

    http://www.nws.noaa.gov/nwr/nwrbro.htm
Completely agree. "Where are you?" is basic information when location is at all relevant, and site designers frequently make the false assumption that every visitor is a local who knows exactly what you meant.

And it's not just news sites -- I once made a service reservation at a Toyota dealership in another state because it had the same name as the one I wanted and no indication of where it was in any global assets (it was buried on a "directions" page).

How did you make the service reservation? There wasn't a phone number with area code prominently displayed anywhere?
Good question: I was new to the Chicagoland area at the time and chalked it up to not being aware of what all the area codes were.
I can see an argument for intentionally leaving that info off. They are a local site and don't really care about one off traffic like mine or yours, we won't be coming back anyway. And specifying that info may make the site feel less local to the actual repeat audience.
Wow. This is the mavis beacon typing tutor hack.

Years ago (jesus, has it been 15 years?), I was in computer class on the old Macintoshes they had with Mavis Beacon Typing Tutor. We were supposed to type out the sentences we read to increase our typing speed, and learn the home row. I hated home row, and insisted that hunt-and-peck was more comfortable for me. But the teacher was adamant I use home row only, which was annoying. I was also not very fast at either form of typing.

I discovered by accident that if I hit the spacebar for each letter in each word, the program interpreted it as a successful spelling. All I had to do was keep typing the spacebar to complete the words. So i'd put my fingers on the home row, moving my fingers up and down, and pressing the spacebar with my thumb. I got 120 words per minute.

Haha that's stupid. Did the program not bother checking to see what the keycodes were? Did it have just a function OnKeyPress that incremented the counter?

Laziness! Why do I bother writing decent software when there's so much junk floating around that people BUY?

    errors = 0
    if keypress == ' ':
      for i,letter in enumerate(entered_word):
        if letter != presented_word[i]:
          errors += 1
>Why do I bother writing decent software when there's so much junk floating around that people BUY?

Assuming it's free software, that question answers itself.

Mavis Beacon? They charged schools an arm and a leg for that back in the day.
I remember discovering a similar (maybe the same) bug in my typing classes. I was a fairly good typist, so I would finish the assignment as quickly as I could and then play games on the computer. The teacher wasn't very happy with this and wanted me to continue typing. So, in frustration and boredom, I just typed a bunch of spaces and was quite surprised when it accepted it as correct. I told a few of my friends about this and it quickly spread. The teacher became suspicious of the scores, and I got blamed for discovering the flaw. The teacher then decided she had to watch me complete every one of the typing excercises to make sure I wasn't cheating. Luckily for me, after a few weeks of that she let me go back to completing the assignments quickly and playing games. I still wish my school would have had a more knowledgeable computer teacher to push me to do programming excercises or something more productive than wasting that time playing games.
In high school we had a similar class that required us to use Mavis Beacon (or some similar typing application) and report our words per minute. I thought this a waste of time and annoying, so I wrote a program to simulate the keystrokes and type for me. I think the teacher knew something was amiss though when it showed that I was typing at over 5000 words per minute.
Maybe I'm just cynical, but given that the father is a security researcher, does anyone else think that he himself found the vulnerability but concocted the story to get some free press?
Wouldn't be the first time parents did the work for their kids to give them a line item on their 'resume'.

As an aside, this gave me an idea: Grey hat SEO/reputation consulting for your kids' reputations.

You don't have to be a security researcher to type stuff into a password box and try it out. It doesn't seem so far-fetched to me.
So this is like junior astronomers getting credit for finding planets with telescopes designed and funded by senior astronomers?
Except that it's an off-the-shelf Xbox One. Any of his friends could have hypothetically found the vulnerability.
I don't think a security researcher would waste his time hitting the space bar to try and crack in. They'd probably look for other, more sophisticated vectors, simply because the probability of such a crude attack working is very low.

In this case, inexplicably, it worked.

Given the kid's history of interesting discoveries, I'd say this is legit. It's not very sophisticated, but it sure is effective. If your father was someone trained to probe for problems, if you'd grown up with that sort of encouragement, you'd probably try the same thing at your own level of ability.

Props to the kid!

No, but surely it had something to do with the way the vulnerability was reported rather than merely shrugged off.
And after all that plotting he accepted $50, 4 game a year free Xbox Live? That seems very 'un-ambitious'
The goal being the free press, not a few bucks worth of recognition from Microsoft.
When I was 5 years old all I could do was sort Duplo blocks by color, and I don't even have a memory of it :(. I get sort of jealous if I see how smart small kids can be.
It's really refreshing to see a family embrace their son's inventiveness and tenacity rather than reprimand the kid for breaking past the parental controls
It's really refreshing to see a company embrace their customer's inventiveness and tenacity rather than suing them for breaking their products.
It's really refreshing to see a company that sets their security bar so low that even a small kid can get a kick out of discovering a security vulnerability. This could be the start of a long and rewarding career, ;-)
It's really refreshing to hold Ctrl-R and see what new comments slide into place.
"At age 1, Kristoffer got past the toddler lock screen on a cell phone by holding down the home key."

Not to be "that guy" or anything but I suspect it is pretty normal for a child to hold down a button.

First, what kind of lousy lock wouldn't safeguard against, what was likely either the only or one of a few buttons, being held down?

Second, sounds like proud father has made at least a few false connections. He is a geeky equivalent of a creationist museum tourist.

If you scroll down to the bottom where it says "Trending Now" all of the headlines (including this one) state 10news.com KGTV ABC San Diego.
So I told this story to my wife, because at first I was a little envious (wishing my boy did this)...then her being the devil's advocate made me realize something...if a 5-year-old can bypass Xbox's verification by pressing space keys and enter then it says volumes about Xbox's verification checks.

Who was sleeping at the wheel when Xbox didn't add empty strings to password verification checks?

I don't think its that surprising, kids have all the time in the world. When I was a kid I worked on cracking the Fridge lock.. Perhaps my time was poorly spent.
As I read the article I kept expecting the part where he was suspended from school for the rest of the semester for breaking the school's zero tolerance policy on "cyber attacks" or something.
On another note, the whitehat bounty seems ridiculously low, if we're to take him as a peer:

    Kristoffer will receive four games, $50 and a year-long
    subscription to Xbox Live from Microsoft.
(comment deleted)
(comment deleted)
Sennnsatioonal!!!

> At age 1, Kristoffer got past the toddler lock screen on a cell phone by holding down the home key.

... uh ... pretty sure because that's because he watched his father doing in order to use the phone.

what level of crime is this? Does this count as computer trespass in NY? If so, that's a class E felony.

  § 156.10 Computer trespass.
    A person is guilty of computer trespass when he or she knowingly uses,
  causes to be used, or accesses a computer, computer service, or computer
  network without authorization and:
    1.  he or she does so with an intent to commit or attempt to commit or
  further the commission of any felony; or
    2. he or she thereby knowingly gains access to computer material.
    Computer trespass is a class E felony.
http://public.leginfo.state.ny.us/LAWSSEAF.cgi?QUERYTYPE=LAW...
Well, first the father would have to press charges against his 5-year-old son. Probably not likely, and, eh, I just can't.
I'm not sure about New York but in many states, the victim has no say whether or not charges are pressed against the defendant. It's usually at the sole discretion of the District Attorney.

That being said, this is hardly a triable case as the defendant is 5 years old. The DA would have to prove that the kid knew what he was doing enough to have the culpability to commit a crime, then they would have to convince a jury of adults that a kid should face criminal consequences for hacking his dad's xbox account.

CFAA violation, affecting interstate commerce. Definitely also wire fraud. This kid better watch out for Carmen Ortiz and Stephen Heymann.
Oh sure. When he bypasses child locks he gets rewarded by his parents and Microsoft. When I bypassed child locks and parental controls when I was younger, I got in trouble and my computer taken away. :D
“I was like yea!”
This is indicative of disorganized program structure. Form validation shouldn't be unique to separate forms; they should all be piped through the same place, where validation is done.