Sign up to our newsletter
Most five year olds can write their own name – but few have a job title to put after it. A young Xbox fan has joined an elite group of official Microsoft “security researchers” after he exposed a password flaw on Xbox’s Live Service.
Kristoffer von Hassel was also rewarded with free games, a free subscription, and an official thanks from the company after exposing a simple and potentially damaging security flaw, according to Yahoo News.
The five-year-old’s “hack” revealed a serious password flaw in Xbox Live’s authentication system – which Microsoft has since fixed – and has named the young gamer as a researcher on its website, according to a report by 10 News.
In a statement, the company said: “We’re always listening to our customers and thank them for bringing issues to our attention. We take security seriously at Xbox and fixed the issue as soon as we learned about it.”
Kristoffer was officially thanked by the company for exposing the flaw – which he worked out as a way to log into his dad’s account in San Diego without knowing his password. Xbox Live accounts not only give access to real-money transactions, but also would allow young gamers access to violent games, and games age-rated for profanity among their players.
The hack is simple. Kristoffer discovered that if he entered a wrong password, then simply entered blank spaces to fill the entire password field as his second authentication attempt, he was able to use his father’s account freely, according to the BBC‘s report.
“I got nervous. I thought he was going to find out,” Kristoffer said in an interview with local TV station KGTV. “I thought someone was going to steal the Xbox.”
As well as an official thanks from the company, his name is immortalized alongside other (mostly older) security researchers on a Microsoft web page, “The Microsoft Security Response Center (MSRC) is pleased to recognize the security researchers who have helped make Microsoft online services safer by finding and reporting security vulnerabilities. Each name listed represents an individual or company who has privately disclosed one or more security vulnerabilities in our online services and worked with us to remediate the issue.”
Author Rob Waugh, We Live Security