Kristoffer Von Hassel, a five year old boy from San Diego, United States figured out how to log in to Microsoft’s Xbox Live service account of his Dad without the right password. Microsoft has acknowledged the security vulnerability and fixed the flaw. It has also added Kristoffer to its list of recognised security researchers.
Kristoffer has also been awarded four free game titles, $50 in cash, and a year-long subscription to Xbox Live. His name now appears on the Microsoft’t technet webiste. Kristoffer ingeniously worked out a solution which let him enter the Xbox Live services without his fathers password. On the main log in page he entered a wrong password which would automatically bring second password verification screen. Kristoffer figured out that in this screen he simply had to press the space bar to gain entrance into the Xbox Live services. Robert Von Hassel sent the details of the flaw to Microsoft naming Kristoffer as the discoverer. Microsoft immediately fixed the flaw and issued a statement which said: “We’re always listening to our customers and thank them for bringing issues to our attention. We take security seriously at Xbox and fixed the issue as soon as we learned about it.”
From the ease of the backdoor which Kristoffer found it is most probably a development backdoor which company’s usually put for developers and testers. Such kind of backdoors are kept at the testing stage to allow the developers and testers to log in to the service and from the looks of it, the Microsoft engineers forgot to remove the backdoor while launching the service.
You can watch Kristoffer’s complete interview, which he gave to a local news station KGTV below.