Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xbox password flaw exposed by five-year-old boy


  • Please log in to reply
14 replies to this topic

#1 jhayz

jhayz

  • BC Advisor
  • 6,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 AM

Posted 05 April 2014 - 12:37 AM

A five-year-old boy who worked out a security vulnerability on Microsoft's Xbox Live service has been officially thanked by the company.

Kristoffer Von Hassel, from San Diego, figured out how to log in to his dad's account without the right password.

Microsoft has fixed the flaw, and added Kristoffer to its list of recognised security researchers.

 

http://www.bbc.com/news/technology-26879185


Tekken
 


BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:06:04 AM

Posted 05 April 2014 - 01:23 AM

 

In a statement, the company said: "We're always listening to our customers and thank them for bringing issues to our attention

 Are we talking about the same Microsoft here? The one that makes Windows OS? Not some other Microsoft?


Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#3 Allen

Allen

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:04 PM

Posted 05 April 2014 - 07:56 AM

How do we know that these spaces weren't just the actual password? or maybe the kid actually knew the password and was just lying? 


Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#4 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:04 PM

Posted 05 April 2014 - 10:16 AM

How do we know that these spaces weren't just the actual password? or maybe the kid actually knew the password and was just lying?


Because I assume that Microsoft would have verified the flaw before officially thanking him and adding him to the list of security researchers...

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#5 Skreen32

Skreen32

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 05 April 2014 - 03:07 PM

 

 

In a statement, the company said: "We're always listening to our customers and thank them for bringing issues to our attention

 Are we talking about the same Microsoft here? The one that makes Windows OS? Not some other Microsoft?

 


My thoughts EXACTLY!



#6 computerxpds

computerxpds

    Bleepin' Comp


  • Moderator
  • 4,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:04 PM

Posted 05 April 2014 - 03:19 PM

Microsoft listens to their customer base frequently, look at windows 7, then look at the upcoming windows updates, they are changing the operating systems based on customer feedback. They may have made a few mistakes with initial releases of software, but they fix it after by listening to the customer base. Heck look at apple, they pretty much blew it when it comes to iOS 7, and now they are fixing things by listening to the user base. A large company has to listen to their users, otherwise they fade into the black and run out of money, like blackberry.
sigcomp.png 
If I have replied to a topic and you reply and I haven't gotten back to you within 48 hours (2 days) then send me a P.M.
Some important links: BC Forum Rules | Misplaced Malware Logs | BC Tutorials | BC Downloads |
Follow BleepingComputer on: Facebook! | Twitter! | Google+| Come join us on the BleepingComputer Live Chat on Discord too! |

#7 StudyVIruses

StudyVIruses

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 07 April 2014 - 09:30 PM

That's a pretty interesting find.



#8 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:04 AM

Posted 07 April 2014 - 10:02 PM

The funny thing is, is that could not have been an accident... Someone programmed that in there for some reason and then failed to delete it... lol.

 

Typical 2 bit programmer modus operandi... Screw the attention to detail, we'll just release a new version later and charge them for it.


Edited by TsVk!, 07 April 2014 - 10:03 PM.


#9 czarboom

czarboom

  • Members
  • 608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Texas
  • Local time:03:04 PM

Posted 08 April 2014 - 02:53 AM

Xbox, well.  It seems, that when Xbox was left to do its own thing away from Big Daddy Microsoft Main, it created a huge devolper market.  It also, gave indie devolpers a shot at something real. 

Then, Microsoft main got involved and drove the devolpers into the arms of Playstation. 

 

Its not surprising that this was flaw.  Almost all programmers are not taught a single thing about coding for application security.  Samsung, and Android have had carrier and company pre installed applications with gaint hole in them.

 

Jan. of this year, Knox has a hole in it that allows for the reading of encrypted information sent from applications.  See that article here.

 

It goes back to the ease of most CIS, and 4 year computer degrees at Colleges in American today.  Most  student spend 4 years at a college and still cant code when they get out, or troubleshoot with simple CMD commands in a network.  KNOW NOTHING ABOUT LINUX, or basic commands.

 

So that has lead companies like Microsoft, Apple, Google, and Dell, to have to test new hires to see if they can do what they say they can do.  I have been networking for a long time, and still everyday I get my but kicked and learn something new. 

 

But, when you have a work force staffed by people who either dont care, and dont know enough to be in charge of a application team, what rolls out is really poor, and buggy apps.

 

13000 Federal IT Security Jobs went unfilled last year, becasue the government couldnt find people with the skills needed to do the jobs.  CNN reports here. on some of that.

 

Overall, its tough to do IT security the correct way. 


CZARBOOM 
 
"Never Stop Asking Questions, Question Your Environment, Question Your Government, above all Question Yourself.  We all lose when you Stop asking Why?

#10 jhayz

jhayz
  • Topic Starter

  • BC Advisor
  • 6,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 AM

Posted 08 April 2014 - 11:01 PM

Flaws are universal and there are no exceptions whether it's in forms of applications, operating system, platforms and vulnerabilities. There is no surprise to the story but maybe more of a simple coincidentally flaw from the Xbox login. Whether it was verified or not from a different Xbox account is still another story...


Tekken
 


#11 czarboom

czarboom

  • Members
  • 608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Texas
  • Local time:03:04 PM

Posted 10 April 2014 - 04:24 AM

yes, with OpenSSL, now thats a much bigger and huge issue, If I remember, the advice going around to most people is to

"change all your passwords for everything you have an account for"

 

I had to make a encrypted list of all my passwords and accounts.... now I have to change them... and that is stupid crazy


CZARBOOM 
 
"Never Stop Asking Questions, Question Your Environment, Question Your Government, above all Question Yourself.  We all lose when you Stop asking Why?

#12 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:04 AM

Posted 10 April 2014 - 04:35 AM

there's a nice way of having great passwords on this site... www.ss64.com

 

also loads of reference for novice coders.

 

edit: I know it's a bit off topic, I just wanted to share that


Edited by TsVk!, 10 April 2014 - 04:42 AM.


#13 lolasdad315

lolasdad315

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 13 April 2014 - 10:05 AM

yes, thank you bleeperizer.   A solution for many.  on target.



#14 czarboom

czarboom

  • Members
  • 608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Texas
  • Local time:03:04 PM

Posted 14 April 2014 - 01:23 AM

Nice little tool, thanks to bleeperizer for sharing this, good stuff


CZARBOOM 
 
"Never Stop Asking Questions, Question Your Environment, Question Your Government, above all Question Yourself.  We all lose when you Stop asking Why?

#15 czarboom

czarboom

  • Members
  • 608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Texas
  • Local time:03:04 PM

Posted 19 April 2014 - 08:43 AM

Guys speaking of passwords and hacks and cracks, for those of us out there with a good handle on Linux, check out the OS Kali-Linux (was called Backtrack).  It can be ran in a VM on windows or installed as an OS on any machine.  It’s an OS, very basic, but includes a good chunk, 60 I think, of testing and security tools that are a great learning for someone looking to get experience in Pen Testing.  Just don’t expect any How to Guides, because there are almost none for this program. 

 

You need to know some Linux/Unix commands, and most is run through the terminal window or in Powershell.  I've been using Linux in command environments for 5 yrs and it taught me a lot of little commands I didn’t know were there.  Just be responsible with it, meaning if you jump your router and your ISP calls you or worse that is on you. 

 

cheers  (Goooooo ROVERS.... still one of the few teams to win the Premiership).


CZARBOOM 
 
"Never Stop Asking Questions, Question Your Environment, Question Your Government, above all Question Yourself.  We all lose when you Stop asking Why?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users