Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Five-Year-Old Uncovers Xbox One Login Flaw

Soulskill posted about 6 months ago | from the kids-input-the-darnedest-credentials dept.

XBox (Games) 196

New submitter Smiffa2001 writes: "The BBC reports that five-year-old Kristoffer Von Hassel from San Diego has uncovered a (frankly embarrassing) security flaw within the Xbox One login screen. Apparently by entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account. Young Kristoffer's dad submitted the flaw to Microsoft — who have patched the flaw — and have generously provided four free games, $50, a year-long subscription to Xbox Live and an entry on their list of Security Researcher Acknowledgments."

cancel ×

196 comments

Sorry! There are no comments related to the filter you selected.

Fuck M$ (-1)

Anonymous Coward | about 6 months ago | (#46663661)

LOL Micro$hit still knows jack about security.

Re:Fuck M$ (0)

Anonymous Coward | about 6 months ago | (#46663723)

Hello. What's the weather like in 1998?

Re:Fuck M$ (2, Insightful)

X0563511 (793323) | about 6 months ago | (#46663747)

OK, So they have learned about Jack in these last 16 years... but they are still having some trouble with Shit.

Re:Fuck M$ (3, Funny)

Anonymous Coward | about 6 months ago | (#46664459)

You have that backwards. M$ has always known about shit. Just look at their products.

Re:Fuck M$ (-1, Troll)

X0563511 (793323) | about 6 months ago | (#46664659)

Whoosh. [wiktionary.org]

Re:Fuck M$ (0)

Anonymous Coward | about 6 months ago | (#46663773)

Balmy and less authoritarian.

Re:Fuck M$ (1, Flamebait)

rullywowr (1831632) | about 6 months ago | (#46664199)

Balmy and less authoritarian.

Balmer, and less authoritarian.

There, FTFY.

Re:Fuck M$ (0)

Anonymous Coward | about 6 months ago | (#46664367)

Look, I know that /. sometimes posts stories that are one or two years old, but the XBone did not even exist in 1998. So to accuse someone of living in the past, when their comment is reflecting an action this year, seems a little absurd.

Re:Fuck M$ (1)

pr0fessor (1940368) | about 6 months ago | (#46664519)

I was going to say... didn't win98 have a similar issue. Make two log in attempts with a password and on the third leave the password field blank or something like that?

first (-1)

Anonymous Coward | about 6 months ago | (#46663667)

ha!

Re:first (0)

Tmackiller (959837) | about 6 months ago | (#46663779)

The only reason this would be remotely relevant, funny or even smirkworthy would be if it was 10 years ago and you had in fact succeeded at being the first to post. The jokes over man. And you just lost the game. HA!

Re:first (0)

Anonymous Coward | about 6 months ago | (#46663851)

The irony is that your response is equally archaic.

Re:first (-1)

Anonymous Coward | about 6 months ago | (#46663907)

What the fuck did you just fucking say about me, you little bitch? I'll have you know I graduated top of my class in the Navy Seals, and I've been involved in numerous secret raids on Al-Quaeda, and I have over 300 confirmed kills. I am trained in gorilla warfare and I'm the top sniper in the entire US armed forces. You are nothing to me but just another target. I will wipe you the fuck out with precision the likes of which has never been seen before on this Earth, mark my fucking words. You think you can get away with saying that shit to me over the Internet? Think again, fucker. As we speak I am contacting my secret network of spies across the USA and your IP is being traced right now so you better prepare for the storm, maggot. The storm that wipes out the pathetic little thing you call your life. You're fucking dead, kid. I can be anywhere, anytime, and I can kill you in over seven hundred ways, and that's just with my bare hands. Not only am I extensively trained in unarmed combat, but I have access to the entire arsenal of the United States Marine Corps and I will use it to its full extent to wipe your miserable ass off the face of the continent, you little shit. If only you could have known what unholy retribution your little "clever" comment was about to bring down upon you, maybe you would have held your fucking tongue. But you couldn't, you didn't, and now you're paying the price, you goddamn idiot. I will shit fury all over you and you will drown in it. You're fucking dead, kiddo.

Re:first (-1)

Anonymous Coward | about 6 months ago | (#46663937)

lol u mad bro?

Re:first (0)

Tmackiller (959837) | about 6 months ago | (#46663979)

>The irony is that your response is equally archaic.
The irony is that you're pointing this out to prove you can correctly identify irony, because you were unsure of yourself until now.
>Navy seal pasta
Thanks for posting this, so I didn't have to go find it.
Gotta love AC's.

Re:first (0)

Anonymous Coward | about 6 months ago | (#46664011)

Switch to decaf.

Re:first (0)

Anonymous Coward | about 6 months ago | (#46664101)

"guerilla" not gorilla FTFY

Re:first (0)

Anonymous Coward | about 6 months ago | (#46664631)

woosh

Re:first (0)

Anonymous Coward | about 6 months ago | (#46664145)

Is that you posting AC again President Obama?

Re:first (1)

Oligonicella (659917) | about 6 months ago | (#46664355)

I love the sound of little fists vainly slapping bare chests in an attempt to look tough. Unless it was humor, then it's simply too long.

$300? (5, Insightful)

schneidafunk (795759) | about 6 months ago | (#46663679)

What does that come out to, about $300 for a severe bug? I thought Microsoft just paid out $100k for a Windows 8 flaw.

Re:$300? (3, Insightful)

FrozenToothbrush (3466403) | about 6 months ago | (#46663719)

Such a small prize for a million dollar flaw. Basic QA should've caught this.

Re:$300? (2, Funny)

Anonymous Coward | about 6 months ago | (#46664653)

Basic QA should've caught this.

For all the times we suspected it, now we have proof that they were all spaced out!

They were busy (5, Funny)

sl3xd (111641) | about 6 months ago | (#46663835)

I'm sure the reason the reward was so paltry was because the rest of the reward went to cleaning the development team's underwear.

Re:They were busy (5, Interesting)

JoeMerchant (803320) | about 6 months ago | (#46664403)

This smells more like a forgotten backdoor than an algorithmic flaw.... probably traceable in the commit log to the particular dev who put it in, and all the auditors who should have caught it, but didn't.

Re:$300? (4, Informative)

DigitAl56K (805623) | about 6 months ago | (#46663903)

To put it in perspective, that $100K was for bypassing exploit mitigation features that cross all processes on the system, and would severely undermine Windows 8.1's security features. This one seems to require you to be standing in front of a specific console.

Still, what a stupid bug to have.

Re:$300? (2)

JoeMerchant (803320) | about 6 months ago | (#46664423)

Sounds like a way to log in to any console, anywhere, at any time... but, the physical presence thing is some measure of containment. At least one five year old can't take down every machine on the planet at once.

Re:$300? (3, Funny)

jones_supa (887896) | about 6 months ago | (#46664055)

At least they did the right thing and rewarded the kid about the discovery, instead of suing the father for "tampering with their security".

Who? How? (5, Insightful)

i kan reed (749298) | about 6 months ago | (#46663689)

Who takes shortcuts for code when you're developing a damned password entry system? I mean... really? When the sole purpose of the code is security, who goes "oh, whatever, we'll just match against whatever?"

I mean, it's not like hashing or string comparison are hard problems.

Re:Who? How? (3, Informative)

Pope (17780) | about 6 months ago | (#46663759)

You'd be surprised. There's a LOT of bad security out there. Something this bad really takes the cake though.

Re:Who? How? (4, Insightful)

CanHasDIY (1672858) | about 6 months ago | (#46663969)

You'd be surprised. There's a LOT of bad security out there.

Understatement of the day.

Some people would be shocked if they knew how many retailers offering free wifi don't change their router's login from default. I know I always am.

Re:Who? How? (4, Funny)

OakDragon (885217) | about 6 months ago | (#46664017)

Which makes me appreciate all the thought that Slashdot put into its security. For example, did you know if you accidentally type your own password into a comment, it stars it out for you? Example:

***********

Neat, huh?

Re:Who? How? (3, Funny)

PRMan (959735) | about 6 months ago | (#46664061)

Actually, it says Hunter2 for me...

Re:Who? How? (0)

Anonymous Coward | about 6 months ago | (#46664069)

Are you sure? My password is: hunter2.

Re:Who? How? (1)

rogoshen1 (2922505) | about 6 months ago | (#46664079)

Reminds me of that stupid urban legend about entering your pin at an ATM when under duress.. entering it backwards summons ze police.

Re:Who? How? (3, Funny)

stephenmac7 (2700151) | about 6 months ago | (#46664179)

What if your pin is a palindrome?

Re:Who? How? (1)

CanHasDIY (1672858) | about 6 months ago | (#46664181)

Reminds me of that stupid urban legend about entering your pin at an ATM when under duress.. entering it backwards summons ze police.

What if your PIN is a palindrome?

Re:Who? How? (2)

David_Hart (1184661) | about 6 months ago | (#46664623)

Reminds me of that stupid urban legend about entering your pin at an ATM when under duress.. entering it backwards summons ze police.

What if your PIN is a palindrome?

Then you get your money and the police....

Re:Who? How? (0)

Anonymous Coward | about 6 months ago | (#46663803)

Works for logging into Windows 8.1 also....

Re:Who? How? (3, Funny)

Anonymous Coward | about 6 months ago | (#46663919)

I don't know who could get this wrong or how you could get this wrong.

Does it work if you have the same number of characters?

len(input) == len(password)?

or?

input == password OR (len(input) == len(password) AND string_is_all_spaces(input))

You'd really have to go out of your way in a most bizarre manner to screw this up. I mean, this is like tell someone to make an omelette and they accidentally build a time-machine. What the heck were they doing here??

Re:Who? How? (1)

stephenmac7 (2700151) | about 6 months ago | (#46664245)

More like: input == password or re.match('^ +$', input)

Re:Who? How? (2, Informative)

Anonymous Coward | about 6 months ago | (#46664319)

It's not that hard to do.
Basically could be
a) debug code for QA left in to bypass login

b) buffer overflow (off by one); and an exception thrown that was caught outside the password system; that exited back to the main run-time.
Testing that your code can actually handle the maximum number of characters allowable by the input field, is ... rarely tested by QA.
I've personally crashed websites that don't restrcit the form input length on the password field. Apparently putting in 4096 character passers does tend to cause issues on -many- sites.

c) Other logic errors:
You explicitly forbid empty password from entry.
Some process internally does a trim($b)
Password process throws an unhandled exception case due to using an empty string; or null value returned from the password hashing; validation, oro assocated sub layer.
Maximum length exceeded (-1) combined with a trimmed length of 0; can cause issues if an assumption of "the password cannot be empty at this point" was inadertantly violated.
You code each layer with the assumption of where the data came from, and whether it's been validated or rejected at a higher layer. Something slipping by causes lots of strange, and subtle bugs.

Re:Who? How? (1)

almitydave (2452422) | about 6 months ago | (#46664477)

I bet it's due to a single equals sign.

if (password_retry = account_password) {...

Re:Who? How? (1)

Desler (1608317) | about 6 months ago | (#46664509)

If that were true he could have logged in with any string not just spaces.

Re:Who? How? (1)

LordLimecat (1103839) | about 6 months ago | (#46664527)

personally im a huge fan of the way powershell does it--
  * Comparison: $num1 -eq $num2
  * Assignment: $num1 = $num2

Re:Who? How? (1)

Anonymous Coward | about 6 months ago | (#46663963)

They're the people who invented "press cancel to log in" for windows 95.

Re:Who? How? (1, Informative)

lgw (121541) | about 6 months ago | (#46664141)

They're the people who invented "press cancel to log in" for windows 95.

Which was fine. Win95 was intended as a single-user system with no local security. That login screen was for using network resources, and was irrelevant for local access.

And if you don't encrypt your drives, your modern OS is no more secure than Win95 to someone with physical access.

Re:Who? How? (2)

wisnoskij (1206448) | about 6 months ago | (#46663965)

I wonder...
Either this is some developer/tester login thing.
Or the developer did something weird were he removed whitespace, and a "correct" match was found when the manipulated/tested string was length 0.

Re:Who? How? (1)

lgw (121541) | about 6 months ago | (#46664165)

It almost has to be a deliberate backdoor for testing that someone forgot to take out. I can't imagine "Trim()ing as password. But then I couldn't have believed anyone would smash case on a password before I heard Blizzard did it. I guess there's nothing so stupid that we should rule it out.

Re:Who? How? (1)

wisnoskij (1206448) | about 6 months ago | (#46664285)

But this is not a keyboard/computer password. Allowances are made for less effective input devices. If extra spaces are a common problem when using Xbox text input, no one would think twice about it. Also, it is possible they just did not allow whitespace in a password, so instead of a warning they just removed it at creation and use (so it would work even if they thought your password has a space in it).

Re:Who? How? (1)

lgw (121541) | about 6 months ago | (#46664475)

All of which would be bugfuck insane from a security perspective, but after Bliz admitting their password are case insensitive, I'll believe anything.

Re:Who? How? (1)

Hognoxious (631665) | about 6 months ago | (#46664501)

But it only happens on the second attempt. That implies some state is being carried over. I find it hard to believe that even a drunken monkey could do that by accident.

Re:Who? How? (0)

Anonymous Coward | about 6 months ago | (#46664029)

DAMN!

-NSA

Possibly... (4, Informative)

Viol8 (599362) | about 6 months ago | (#46664033)

... the matching algo checks for zero length strings *before* it strips out whitespace so lets this through. Once it has stripped out this whitespace it *then* has a zero length string but doesn't know it and then the rest of the algo fails due to it.

I'll bet it something stupid like:

hashed_pwd = strip(input_pwd);

for(*ptr = hashed_pwd;*ptr;++ptr)
{ // Match
        if (hash char doesnt match) return BAD;
}
return MATCH;

Re:Who? How? (0)

Anonymous Coward | about 6 months ago | (#46664223)

They probably trim whitespaces from passwords, and so they tried to compare an empty string to the hash and probably missed an error catching bug there..

Dads, stop doing the kids' homework (0)

Anonymous Coward | about 6 months ago | (#46663693)

xbone, yeah!

The account security is not important (0, Flamebait)

uCallHimDrJ0NES (2546640) | about 6 months ago | (#46663751)

The account security is not important. The facial recognition logging who was in the room at what times and storing it in a coded blackbox style log is what's important. User account security is not significant. We are not the customers

Re:The account security is not important (0)

Anonymous Coward | about 6 months ago | (#46664227)

So true. We are just sources of metrics...

Prosecute the child and father! (5, Funny)

Anonymous Coward | about 6 months ago | (#46663761)

Why is this criminal being celebrated rather than prosecuted for hacking into a protected computer system across state lines? The child is A FELON and must go to jail. The father acted as an accessory and should also be prosecuted.

Re:Prosecute the child and father! (0)

Anonymous Coward | about 6 months ago | (#46663945)

That will make for an interesting hook on a CV when the kid goes job hunting. Fresh out of college the kid could sound like an old codger:
"I have been finding bugs in software since before you were in school."

Re:Prosecute the child and father! (1)

Jason Levine (196982) | about 6 months ago | (#46664263)

Given that the kid is 5 and likely in Kindergarten, he could say "I've been finding bugs in software almost since before *I* was in school!"

Re:Prosecute the child and father! (3, Insightful)

JoeMerchant (803320) | about 6 months ago | (#46664447)

Makes me wonder if the kid is just an attention ploy the dad used...

Re:Prosecute the child and father! (1)

bill_mcgonigle (4333) | about 6 months ago | (#46663955)

If this were AT&T, the boy would be on his way to Gitmo by now.

But Microsoft, so ... wow, good for them. </icky>

Re:Prosecute the child and father! (0)

lgw (121541) | about 6 months ago | (#46664187)

It's another sign that MS is changing their ways. I remain hopeful but skeptical, but this could be the dawn of a good era for MS-ville.

Re:Prosecute the child and father! (1)

CanHasDIY (1672858) | about 6 months ago | (#46663987)

Hey, man, it's not like this is Pakistan... [yahoo.com]

New Slogan (1)

Anonymous Coward | about 6 months ago | (#46663801)

New marketing campaign for Xbox One. 'So simple a 5 year old can hack it.'

Attach video in kid's 2026 college application (1)

Kensai7 (1005287) | about 6 months ago | (#46663805)

I bet every undergraduate CS Department in the country will want him. :p

Re:Attach video in kid's 2026 college application (0)

Anonymous Coward | about 6 months ago | (#46663997)

I don't see why. This amounts to winning the lottery or witnessing a meteor falling while skydiving.

Who thinks to try putting all spaces or "PASSWORD" or "123456" or anything else for that matter? What's the statistical likelihood of accidentally finding a backdoor? It's not like this kid looked at the code and worked it out - it's a total accident. Now if you're saying you want to hire all accidental engineers then I guess you could hope to churn out the works of Shakespeare eventually...

Re:Attach video in kid's 2026 college application (0)

Anonymous Coward | about 6 months ago | (#46664131)

I found one in a broken ATM machine once. Default maintenance password was 000000, same as back in the day with old flip phones using BREW to get internet.

Re:Attach video in kid's 2026 college application (3, Insightful)

Anrego (830717) | about 6 months ago | (#46664205)

Generally agree.

I would however note that it's that curiosity to try stuff like this and that "what happens if I.." mindset that tends to make a good hacker. Yes this kid lucked out, but it's always encouraging when you see this kinda "poke holes in everything" behaviour early on.

Re:Attach video in kid's 2026 college application (1)

Cruciform (42896) | about 6 months ago | (#46664645)

I lucked out guessing a wifi password once. The neighbor's had put up a network and called it "harunyahya". I googled for it and came up with some wacky creationist conspiracy nut. One of the most common words on the site was 'truth'. So I used that as the password and got in on my first attempt.

A little bit research and a lot of luck. Pretty satisfying either way :)

A year? Seriously? (3, Interesting)

shaitand (626655) | about 6 months ago | (#46663815)

This might have been a simple to find bug but that's exactly why it would have been so damaging. They could at least give the kid a permanent XBox Live subscription. He would have effectively had one if he hadn't disclosed the bug.

Sucks to be a security professional... (5, Funny)

pegr (46683) | about 6 months ago | (#46663823)

Yeah, are you sick of that story of the Indian kid who got his CISSP at the age of 12? Well, here's a 5 year old with a published vulnerability!

Re:Sucks to be a security professional... (0)

Anonymous Coward | about 6 months ago | (#46664605)

Yeah, are you sick of that story of the Indian kid who got his CISSP at the age of 12? Well, here's a 5 year old with a published vulnerability!

At 12? That means he already had 5 years of experience working in the security field. So he got a job by the age of 7.

Or did he just pass the test?

What kind of code that do that? (2)

JcMorin (930466) | about 6 months ago | (#46663841)

I means what kind of code can allow a space password to be approved... the MD5 didn't surely checked... oh wait... another buffer overflow because the length of the password that too big? Why the space? It is a like a backdoor the developer forgot to removed?

Re:What kind of code that do that? (1)

aviators99 (895782) | about 6 months ago | (#46663915)

Good question. I can't imagine the code that would generate this bug.

Re:What kind of code that do that? (0)

Anonymous Coward | about 6 months ago | (#46664121)

Really? String.Trim() combined with poor error handling for a null or empty string would be my guess. String.Trim is a plausible thing to do in case you have to deal with text entry from a mobile device, since they have a tendency to add spaces after things if you click to accept the current input.

Re:What kind of code that do that? (2)

Anrego (830717) | about 6 months ago | (#46664267)

My guess is it's an algorithm that starts with the assumption that the password is correct until proven incorrect, and something in that algorithm is breaking, leaving the correct assumption to stand.

This is of course lazy programming, but not entirely uncommon.

Re:What kind of code that do that? (4, Interesting)

jandrese (485) | about 6 months ago | (#46663917)

Yeah. Space is a full blown character. This reeks of intentional backdoor, there's really no other plausible scenario in my mind.

That's not to say the backdoor was necessarily malicious. Maybe the guy in charge of the password login system was always breaking stuff and locking himself out of his box, so he put a bypass in there so he could get in an fix it, but forgot to remove it later. It's at best really sloppy.

Re:What kind of code that do that? (0)

Anonymous Coward | about 6 months ago | (#46664095)

Maybe the guy in charge of the password

What if it was a girl? You insensitive clod!

Re:What kind of code that do that? (1)

janoc (699997) | about 6 months ago | (#46664225)

It rather shows that Microsoft *still* does not review security-sensitive code properly. How this could have passed any code review is beyond me.

Either they are so incredibly sloppy and incompetent (do you really want to entrust them your credit card then?!) or this was intentional. I am not sure which one is actually worse ...

Re:What kind of code that do that? (0)

Anonymous Coward | about 6 months ago | (#46664261)

Yeah. Space is a full blown character. This reeks of intentional backdoor, there's really no other plausible scenario in my mind.

Unless you, you know, trim whitespaces from the start/end of passwords to hash.

Re:What kind of code that do that? (1)

Hognoxious (631665) | about 6 months ago | (#46664569)

Yeah, and keep count of which attempt number it is, and only do that if it's 2 (or 1 if you use C).

Re:What kind of code that do that? (0)

Anonymous Coward | about 6 months ago | (#46663991)

or a $success = true; if(!empty($password)) { $password = trim($password); if(strlen($password) > 0) { ... do check } } else { fail }

Re:What kind of code that do that? (1)

Anonymous Coward | about 6 months ago | (#46664517)

It's not that hard to do.
Basically could be
a) debug code for QA left in to bypass login

b) buffer overflow (off by one); and an exception thrown that was caught outside the password system; that exited back to the main run-time.
Testing that your code can actually handle the maximum number of characters allowable by the input field, is ... rarely tested by QA.
I've personally crashed websites that don't restrcit the form input length on the password field. Apparently putting in 4096 character passers does tend to cause issues on -many- sites.

c) Other logic errors:
You explicitly forbid empty password from entry.
Some process internally does a trim($b)
Password process throws an unhandled exception case due to using an empty string; or null value returned from the password hashing; validation, oro assocated sub layer.
Maximum length exceeded (-1) combined with a trimmed length of 0; can cause issues if an assumption of "the password cannot be empty at this point" was inadertantly violated.
You code each layer with the assumption of where the data came from, and whether it's been validated or rejected at a higher layer. Something slipping by causes lots of strange, and subtle bugs.

Most probably case: c.

setAcccount(xboxLiveId);
if (!empty(password)) {
    $server->validate(password); /** https://passwordserver/authorize?username=xboxliveid&password={all plusses} */

--Internal system:--
          WTF?

-- parse response --
  INVALID RESPONSE EXCEPTION

--Overarching application loop:--

    catch exception :
          Log
          Attempt recovery to main application screen
          Recovered (cause password sysem set the id; and otherwise system is in a stable state)

Now at the main event loop.

Indeed. On my windows boxen (0)

Anonymous Coward | about 6 months ago | (#46663859)

I just simply have to click the cancel button and I get logged right in. You'd think by now M$ would have patched this idiocy. And added USB 2.0 support at the least.

I'm going back to duel booting my linux kernel and browsing with lynx. Fagogts.

Broken by a 5 year old... (1)

PRMan (959735) | about 6 months ago | (#46664071)

Typical Microsoft security... :(

Re:Broken by a 5 year old... (0)

Anonymous Coward | about 6 months ago | (#46664195)

What ultimate security system have you designed? Maybe a not so ultimate one? Ok, how about a small one?

If you had you'd understand that today's best security is tomorrows vulnerability. Furthermore, this stinks of a backdoor used during development - yeah its still sloppy.

Re:Broken by a 5 year old... (0)

Anonymous Coward | about 6 months ago | (#46664363)

In Win98 you simply could hit cancel at the optional login prompt to access the system

What caused it? (1, Interesting)

jones_supa (887896) | about 6 months ago | (#46664117)

Apparently by entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account.

That's interesting. Let's speculate a bit about the bug.

Do you have any theories how the login part of the Xbox One software was programmed which caused it to behave like that?

Re:What caused it? (1)

aviators99 (895782) | about 6 months ago | (#46664255)

What is this "second password verification screen"? Was it secondary identification questions (like mother's maiden name) or the same password again? I don't have an Xbox, so I have no idea what that means.

"Security" that can be broken by a 5 years old ... (1)

janoc (699997) | about 6 months ago | (#46664173)

Fortunately the 5 years olds are easily bribed by a few games and an ice cream before they try to hack something more dangerous.

This sort of issue really instills a lot of confidence in the quality of that system *facepalm*.

Cut the Shit (1)

sexconker (1179573) | about 6 months ago | (#46664293)

The 5 year old didn't find this out, the father did. He's just using his 5 year old to get attention.

Re:Cut the Shit (0)

Anonymous Coward | about 6 months ago | (#46664393)

GIven that the only step to trigger then bypass the second prompt, as described, involved merely holding down the (virtual) spacebar, this story is relatively plausible among the "my $x year old did this" stories.

Re:Cut the Shit (0)

Anonymous Coward | about 6 months ago | (#46664641)

Yeah, my kids like to punch in random keys on my password box as well. I can certainly see a kid holding down the space bar for a long time.

No (0)

Anonymous Coward | about 6 months ago | (#46664487)

We adults are so trained to follow the login instructions that no adult would even attempt to put in a bad password and spaces in the next field - doing that fails on every other computer system. If it were a bad password and nothing entered in the next field, then yes, I'd doubt the story. But spaces?
It takes a kid who doesn't know any better.

So, I beleive the story.

My kid broke pepsi.com (3, Interesting)

Anonymous Coward | about 6 months ago | (#46664311)

Posting anonymous because I'm still afraid that pepsi goons will break down my door any minute now.

Quite a few years ago, I found that sombody had shown my preschooler that you could enter code numbers from inside the caps of pepsi products to get "free" merch.

He just started entering random numbers and characters until he found a pattern that worked every time. He thought that was the point! He spent hours at it and then proudly showed me that he'd "solved the puzzle" and Pepsi was going to send him truckloads of free stuff.

I quickly popped through a couple DHCPs on the cable modem and told him not to do that anymore.

How? (1)

Hognoxious (631665) | about 6 months ago | (#46664325)

How in God's green tarnation does somebody manage to produce a bug like that?

forgot rule 12 of evil overlords (4, Funny)

Jecel Assumpcao Jr (5602) | about 6 months ago | (#46664365)

I guess their team of advisors is incomplete:

http://www.eviloverlord.com/li... [eviloverlord.com]

"12. One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation."

And:

"60. My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords."

Perhaps Microsoft doesn't consider itself evil? Lots of people no longer do. At least they followed rule 32 in this case.

Microsoft takes security very seriously (1)

DickBreath (207180) | about 6 months ago | (#46664647)

Stop complaining.

Microsoft fixed it, didn't they?

Microsoft takes security seriously.

(Hey, stop it. Stop laughing. Hey, I said STOP LAUGHING!)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>