Microsoft Xbox pwned by 5-year-old security researcher

Filed Under: Featured, Microsoft, Security threats, Vulnerability

Image of kid playing xbox courtesy of KGTV on

First, he typed in a wrong password for an Xbox Live account.

Next, he got a password verification screen.

He typed in a whole lot of space keys, hit enter, and badda bing, badda boom, he was in!

Yes, it was that easy for Kristoffer Von Hassel to get in through a backdoor in Microsoft's smashingly popular video gaming system - as in, straight in to all the slobbering zombies and screaming violence or whatever it was that his parents would never have let him play with if they'd had their say, no, sir.

"I was, like, YEEEAAAA!" said the 5-year-old security researcher from Ocean Beach, California, the discoverer of an Xbox One Console backdoor that Microsoft patched after the disclosure and who was accordingly cited on the company's Security Researcher Acknowledgements page.

According to ABC 10 News, Kristoffer's parents noticed that soon after Christmas, he was logging into his father's Xbox Live account and playing games he wasn't allowed to play.

In video shot soon after and posted by his father, Robert Davies - who works in computer security - asked Kristoffer how he broke into his account.

Kristoffer was actually kind of scared that his dad would find out, he said. Nonetheless, he showed his dad how he hacked his account.

Davies was tickled pink:

How awesome is that? Just being 5 years old and being able to find a vulnerability and latch onto that. I thought that was pretty cool.

...particularly since both he and Kristoffer obviously believe in responsible disclosure (thus, they told Microsoft about the bug before releasing the story and the hack details).

This isn't Kristoffer's first hack. Davies said his son has figured out 3 or 4 vulnerabilities prior to the Xbox backdoor.

A commenter on the story named Cat von Hassel-Davies who said that she's Kristoffer's grandmother said as much:

He is very brilliant and this was not his first nor his second. We visited over Christmas and he figured out my iPhone password. He figures out his Moms all the time. I could go on and on about his exploits. We are so extremely proud of him.

In fact, ABC 10 News reports, at age 1, precociously button-pushing Kristoffer got past the toddler lock screen on a cell phone by holding down the home key.

Kristoffer, for his part, was thrilled at being listed on Microsoft's acknowledgement page.

"I'm gonna be famous!" he said, his arms up in the air before he buried his gleeful face in his hands.

Well, we hope so, Kristoffer! If not famous with a capital F, famous in a way that's going to make for a heck of a story on a college or job application.

Like one of the commenters mentioned, this type of tinkering could well lead to a full scholarship some day.

That would be great. The world of infosec needs more like Kristoffer: a load of talent stuffed into one small package and tied up with a responsible-disclosure bow.

Mom and Dad, you must be very proud. You should be!

Image of from KBTV on ABC 10 News.

, , ,

You might like

8 Responses to Microsoft Xbox pwned by 5-year-old security researcher

  1. Blake · 553 days ago

    A kid with a bright future.

  2. Jim · 553 days ago

    Kudos to Kristoffer! And Kudos to dad, too, for teaching him about ethical hacking (responsible disclosure)!

  3. Just goes to show that no matter how tight you think your security is, your accounts are still vulnerable to a button mashing 5 year old.

  4. Reader · 553 days ago

    This incident makes me even more wary of the security of (commercially released or otherwise) software. And imagine how many incidents like this one that are never even publicly disclosed.

    * throws my hands up in the air * smh

  5. Nice bragging rights for the 5 yo & his fam, but a breathtaking indictment of MSs lax security practices.

  6. Justin Ong · 553 days ago

    Would be a nice note into his CV in the future =)

  7. Sebster · 552 days ago

    Calling a 5 year old a security researcher makes this whole article seem like a joke.

  8. Sizzle_Bizzle · 552 days ago

    They should have thrown him in jail. The little scamp. That'll 'learn' him!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.