If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(BBC-US)   News: Security flaw discovered in Xbox. Fark: By five year old   (bbc.com) divider line 54
    More: Fail, Xbox, space bars, KGTV  
•       •       •

4494 clicks; posted to Geek » on 04 Apr 2014 at 1:30 PM (24 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



54 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | » | Last | Show all
 
ZAZ [TotalFark]
2014-04-04 01:02:36 PM
Kristoffer discovered that if he simply pressed the space bar to fill up the password field, the system would let him in to his dad's account.

I discovered a similar bug in a screen lock program for IBM mainframes. There was a huge category of strings that no normal person would enter that would crash the lock program. I think the best analogy on modern unixy systems would be if a system accepted an 8 character password, you entered 8 non-ASCII characters, and the UTF-8 encoding expanded the string beyond the 8 byte buffer allocated for it. Microsoft went to unicode strings internally long ago and might not suffer from that class of bugs.
 
2014-04-04 01:38:56 PM
No, they just suffer from the class of bugs where entering a bunch of spaces lets you in to someone's account.
 
2014-04-04 01:46:03 PM
"Dad Robert - who works in security - sent details of the flaw to Microsoft. "

What part of security?  Almost sounds like he found the flaw then said his kid did it.  Yes I rarely believe these kinds of stories.
 
2014-04-04 01:47:02 PM
That's two of the things on the Evil Overlord List.

12. One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation.

60. My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords.
 
2014-04-04 01:51:14 PM
The boy worked out that entering the wrong password into the log-in screen would bring up a second password verification screen.
Kristoffer discovered that if he simply pressed the space bar to fill up the password field, the system would let him in to his dad's account.


That's not a flaw, that's outright incompetence.  Does anyone know if this was a buffer overflow exploit or if the second validation screen just didn't bother to check anything you entered?
 
2014-04-04 02:01:45 PM
Maybe the spacebar entries were actually the password
 
2014-04-04 02:05:35 PM

Misch: That's two of the things on the Evil Overlord List.

12. One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation.

60. My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords.


I was just coming here to say that. Good to see other aspiring Evil Overlords revealing themselves, I know who to target first.

/Wait. . . shiat.
 
2014-04-04 02:11:02 PM
When my son was between 2 and 3, I realized that OSHA et al needs to bring a toddler along on any sort of safety inspection. They instinctively head for the most dangerous thing in any room.
 
2014-04-04 02:13:55 PM

Misch: That's two of the things on the Evil Overlord List.

12. One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation.

60. My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords.


Something I never understood: Congratulations, you have now created a five-year-old with intimate knowledge of your plans, codes, and passwords, surely no security weaknesses there...
 
2014-04-04 02:16:45 PM
 
2014-04-04 02:19:17 PM

TNel: What part of security?


Mall cop.
 
2014-04-04 02:22:17 PM

SquishyLizard: Congratulations, you have now created a five-year-old with intimate knowledge of your plans, codes, and passwords, surely no security weaknesses there...


Teach them some naughty words, they'll choose to remember and repeat those instead.
 
2014-04-04 02:25:48 PM
Lol, the same thing happened on vista if you didn't have admin rights and needed to install something.
 
2014-04-04 02:28:34 PM
So direct buffer overflow? This means password lockout talks directly to the kernal (if it has something like that)

brilliant?

Am I generally correct in my assumptions?  not a techie but I try to get the gist of things so people have a harder time snowing me.
 
2014-04-04 02:35:59 PM

TNel: "Dad Robert - who works in security - sent details of the flaw to Microsoft. "

What part of security?  Almost sounds like he found the flaw then said his kid did it.  Yes I rarely believe these kinds of stories.


More likely the kind of security that wears a polyester sport coat and clip on tie.
 
2014-04-04 02:40:21 PM

big pig peaches: TNel: "Dad Robert - who works in security - sent details of the flaw to Microsoft. "

What part of security?  Almost sounds like he found the flaw then said his kid did it.  Yes I rarely believe these kinds of stories.

More likely the kind of security that wears a polyester sport coat and clip on tie.


Birth control?
 
2014-04-04 03:01:57 PM

SquishyLizard: Misch: That's two of the things on the Evil Overlord List.

12. One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation.

60. My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords.

Something I never understood: Congratulations, you have now created a five-year-old with intimate knowledge of your plans, codes, and passwords, surely no security weaknesses there...


71. If I decide to test a lieutenant's loyalty and see if he/she should be made a trusted lieutenant, I will have a crack squad of marksmen standing by in case the answer is no.

74. When I create a multimedia presentation of my plan designed so that my five-year-old advisor can easily understand the details, I will not label the disk "Project Overlord" and leave it lying on top of my desk.
 
2014-04-04 03:02:14 PM
My Xbox live account got hacked. Something major is going on. Logins from Russia and Hungary. Had to take back control and add extra authentication to it. Thank goodness my credit card info wasn't in the account!
 
2014-04-04 03:04:36 PM
KawaiiNot: My Xbox live account got hacked. Something major is going on. Logins from Russia and Hungary. Had to take back control and add extra authentication to it. Thank goodness my credit card info wasn't in the account!

Your password security sucked.
 
2014-04-04 03:07:53 PM
well, someone has to look out for microsoft os users.
 
2014-04-04 03:09:45 PM
here is something even scarier: 95% of all ATM's run winXP.

that outta' be fun.
 
2014-04-04 03:10:28 PM

Cytokine Storm: KawaiiNot: My Xbox live account got hacked. Something major is going on. Logins from Russia and Hungary. Had to take back control and add extra authentication to it. Thank goodness my credit card info wasn't in the account!

Your password security sucked.


img.fark.net
 
2014-04-04 03:11:55 PM

KawaiiNot: My Xbox live account got hacked. Something major is going on. Logins from Russia and Hungary. Had to take back control and add extra authentication to it. Thank goodness my credit card info wasn't in the account!


Even if your CC was stored on their server do you really think they show you the whole thing online?  Mine is stored and the last time I looked it was showing up as xxxx-xxxx-xxxx-1234 03/2014
 
2014-04-04 03:12:30 PM

mrlewish: So direct buffer overflow? This means password lockout talks directly to the kernal (if it has something like that)

brilliant?

Am I generally correct in my assumptions?  not a techie but I try to get the gist of things so people have a harder time snowing me.


Er... "talks directly to the kernel" doesn't really mean a whole lot, but I think I understand what you're trying to say and no, that's not necessarily the case.  This wasn't a privilege escalation attack - it just bypassed the password check.

There isn't really enough information to even definitively say that it  was a buffer overflow in the traditional sense, and I would actually bet against it.  You can't generally get desirable results out of JUST overflowing a buffer with garbage data - at least some portion of the input is generally crafted to do something, even if it is just replacing the return address with another one.  You might crash the program that way (which would definitely tell you that it is vulnerable to an overflow), but you probably wouldn't magically get the desired result out of it, especially with ASLR.

My guess would be a logic error in the password check - not a memory corruption.
 
2014-04-04 03:28:53 PM

TNel: KawaiiNot: My Xbox live account got hacked. Something major is going on. Logins from Russia and Hungary. Had to take back control and add extra authentication to it. Thank goodness my credit card info wasn't in the account!

Even if your CC was stored on their server do you really think they show you the whole thing online?  Mine is stored and the last time I looked it was showing up as xxxx-xxxx-xxxx-1234 03/2014


Thieves aren't interested in credit card information itself - they are interested in the resell value of the account.
 
2014-04-04 03:30:58 PM

Cytokine Storm: Your password security sucked.


Or someone elses security sucked.  Most of the time successful account hijackings are do to userid and password lists stolen from one of the thousand sites that have been hacked into.

/don't use the same password for multiple services
 
2014-04-04 03:33:13 PM

Linux_Yes: here is something even scarier: 95% of all ATM's run winXP.

that outta' be fun.


Embeded XP not plain jain XP.  So that support is good till 2016, then they will still patch but for a fee which banks will pay for.  Most will get upgraded though by 2016.
 
2014-04-04 03:34:49 PM

gingerjet: Thieves aren't interested in credit card information itself - they are interested in the resell value of the account.


I agree but original poster said that thank god he didn't store his CC info.
 
2014-04-04 03:39:30 PM

TNel: "Dad Robert - who works in security - sent details of the flaw to Microsoft. "

What part of security?  Almost sounds like he found the flaw then said his kid did it.  Yes I rarely believe these kinds of stories.


It's hard to believe that a five year old could come up with holding down the space bar?
 
2014-04-04 03:48:33 PM

picturescrazy: It's hard to believe that a five year old could come up with holding down the space bar?


On a keyboard, not at all.  With an xbox controller, yeah.
 
2014-04-04 03:51:19 PM

ReverendJasen: No, they just suffer from the class of bugs where entering a bunch of spaces lets you in to someone's account.


A "security flaw" that is a lot like leaving your keys in the ignition. This from the company that wants to run the Kinnect camera 24/7 with a constant internet connection. I imagine the entire Play Station development team is laughing and giving each other high fives right about now.
 
2014-04-04 03:56:02 PM

red5ish: A "security flaw" that is a lot like leaving your keys in the ignition. This from the company that wants to run the Kinnect camera 24/7 with a constant internet connection. I imagine the entire Play Station development team is laughing and giving each other high fives right about now.


Yeah because PSN is full proof right?  It was patched in a day of it being found what more do you want?  There will always be holes as long as they are patched when they are found then all is well.

This was only usefull if the account was stored on the Xbox so nobody could get into anyone's account that wasn't already saved to their console.
 
ZAZ [TotalFark]
2014-04-04 04:00:01 PM
It's hard to believe that a five year old could come up with holding down the space bar?

I could do that in my sleep. I did do that in my sleep. In college I found a bug when I fell asleep with my head on the keyboard. The repeating keystrokes overflowed a buffer, crashing a program, logging me out, triggering a second bug that caused a kernel panic. (There was a race condition when unmounting a filesystem with dirty buffers.)
 
2014-04-04 04:46:47 PM

TNel: Embeded XP not plain jain XP


Most ATMs are PCs bolted onto a safe.  They do not use embedded XP.  Its more expensive and more difficult to support.  First rule of financial companies:  they don't like spending money they don't have too.
 
2014-04-04 04:48:51 PM
damn I would love to be a fly in the room when they folks who are supposed to debug  the xbox software get taken to task for missing a flaw a 5 year old found.
 
2014-04-04 04:54:18 PM

TNel: "Dad Robert - who works in security - sent details of the flaw to Microsoft. "



Awww.... Little Bobby Tables, all grown up
 
2014-04-04 05:13:45 PM

TNel: red5ish: A "security flaw" that is a lot like leaving your keys in the ignition. This from the company that wants to run the Kinnect camera 24/7 with a constant internet connection. I imagine the entire Play Station development team is laughing and giving each other high fives right about now.

Yeah because PSN is full proof right?  It was patched in a day of it being found what more do you want?  There will always be holes as long as they are patched when they are found then all is well.

This was only usefull if the account was stored on the Xbox so nobody could get into anyone's account that wasn't already saved to their console.


I actually thought MS response to this was entirely awesome.

Put the kid on the list of security researchers and the official acknowledgments page, and gave him $200 in games.

Not bad - if it was Sony they probably would have banned him for life and bricked his playstation remotely.
 
2014-04-04 05:26:41 PM

gingerjet: Cytokine Storm: Your password security sucked.

Or someone elses security sucked.  Most of the time successful account hijackings are do to userid and password lists stolen from one of the thousand sites that have been hacked into.

/don't use the same password for multiple services


Or he ran afoul of someone who knew social engineering, or someone wanted his gamertag that knew how easy it was.

/ie you keep calling customer support and asking to get your password until you get someone cooperative and gullible
 
2014-04-04 05:38:32 PM
The craziest thing is that I was thinking of submitting this to Fark with the exact same headline...

/shame I don't have an XBL account, sure something this asinine slip through would get a nice class action settlement
//though I'm betting that MS has it in the EULA that you can't sue them if you use their service
 
2014-04-04 05:48:39 PM

TNel: KawaiiNot: My Xbox live account got hacked. Something major is going on. Logins from Russia and Hungary. Had to take back control and add extra authentication to it. Thank goodness my credit card info wasn't in the account!

Even if your CC was stored on their server do you really think they show you the whole thing online?  Mine is stored and the last time I looked it was showing up as xxxx-xxxx-xxxx-1234 03/2014


So that would totally stop them using it for purchases in the xbox gaming system?

See online that other people are getting hacked too and fraudulent game purchases on their credit cards.
 
2014-04-04 06:28:28 PM

SquishyLizard: Something I never understood: Congratulations, you have now created a five-year-old with intimate knowledge of your plans, codes, and passwords, surely no security weaknesses there...


Considering you'll need a new one every year anyway (or else the kid wouldn't be a five-year-old), there's no reason not to stage an accident before he is old enough to become a security risk.
 
2014-04-04 07:14:12 PM
i.imgur.com
 
2014-04-04 07:17:04 PM

China White Tea: My guess would be a logic error in the password check - not a memory corruption.


Usually this sort of thing is shortcut programmers put in there so they do tests without having to type a password every single time, then forgot to take out before release.
 
ZAZ [TotalFark]
2014-04-04 07:22:46 PM
I have seen a login program that allowed any password because nobody thought to do negative testing.  If you typed the correct password it would log you in and authenticate you to the network. If you typed any other password it would log you in without network authentication. Since the machine was a server, there were useful local resources.
 
2014-04-04 08:13:44 PM
Script kiddie.
 
2014-04-04 08:24:59 PM

TNel: "Dad Robert - who works in security - sent details of the flaw to Microsoft. "

What part of security?  Almost sounds like he found the flaw then said his kid did it.  Yes I rarely believe these kinds of stories.


This...building the kid's resume early.
 
2014-04-04 08:39:40 PM

CtrlAltDestroy: [i.imgur.com image 640x480]


Clever, but unnecessary..
stanbiron.com
 
2014-04-04 08:52:41 PM

red5ish: ReverendJasen: No, they just suffer from the class of bugs where entering a bunch of spaces lets you in to someone's account.

A "security flaw" that is a lot like leaving your keys in the ignition. This from the company that wants to run the Kinnect camera 24/7 with a constant internet connection. I imagine the entire Play Station development team is laughing and giving each other high fives right about now.


I can just picture them on monday slinking into the new CIO's office and whispering "Hey remember when we got hacked three times in a row and gave our entire user database in the process each time?  Yah this is sorta like that, right?"
*nervous chuckle*
"Right?  So all is forgiven?  Right?"

/Fark both those companies in their arrogant starfish.
 
2014-04-04 09:48:21 PM

gingerjet: Most ATMs are PCs bolted onto a safe. They do not use embedded XP. Its more expensive and more difficult to support. First rule of financial companies: they don't like spending money they don't have too.


I left BoA in 2003.  Part of my job was doing site surveys and installing new ATMs.  At that point, their standard ATM was still an NT4.0 workstation box.  So yeah, they don't change, or spend money if not absolutely necessary.
 
2014-04-05 01:24:28 PM

ZAZ: Kristoffer discovered that if he simply pressed the space bar to fill up the password field, the system would let him in to his dad's account.

I discovered a similar bug in a screen lock program for IBM mainframes. There was a huge category of strings that no normal person would enter that would crash the lock program. I think the best analogy on modern unixy systems would be if a system accepted an 8 character password, you entered 8 non-ASCII characters, and the UTF-8 encoding expanded the string beyond the 8 byte buffer allocated for it. Microsoft went to unicode strings internally long ago and might not suffer from that class of bugs.


Back in the day, you could get around windows 95 screen saver passwords by control-alt-deleting and then ending the screen saver.
 
Displayed 50 of 54 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report