Microsoft Xbox pwned by 5-year-old security researcher

Xbox pwned by 5-year-old security researcher

Image of kid playing xbox courtesy of KGTV on

First, he typed in a wrong password for an Xbox Live account.

Next, he got a password verification screen.

He typed in a whole lot of space keys, hit enter, and badda bing, badda boom, he was in!

Yes, it was that easy for Kristoffer Von Hassel to get in through a backdoor in Microsoft’s smashingly popular video gaming system – as in, straight in to all the slobbering zombies and screaming violence or whatever it was that his parents would never have let him play with if they’d had their say, no, sir.

“I was, like, YEEEAAAA!” said the 5-year-old security researcher from Ocean Beach, California, the discoverer of an Xbox One Console backdoor that Microsoft patched after the disclosure and who was accordingly cited on the company’s Security Researcher Acknowledgements page.

According to ABC 10 News, Kristoffer’s parents noticed that soon after Christmas, he was logging into his father’s Xbox Live account and playing games he wasn’t allowed to play.

In video shot soon after and posted by his father, Robert Davies – who works in computer security – asked Kristoffer how he broke into his account.

Kristoffer was actually kind of scared that his dad would find out, he said. Nonetheless, he showed his dad how he hacked his account.

Davies was tickled pink:

How awesome is that? Just being 5 years old and being able to find a vulnerability and latch onto that. I thought that was pretty cool.

…particularly since both he and Kristoffer obviously believe in responsible disclosure (thus, they told Microsoft about the bug before releasing the story and the hack details).

This isn’t Kristoffer’s first hack. Davies said his son has figured out 3 or 4 vulnerabilities prior to the Xbox backdoor.

A commenter on the story named Cat von Hassel-Davies who said that she’s Kristoffer’s grandmother said as much:

He is very brilliant and this was not his first nor his second. We visited over Christmas and he figured out my iPhone password. He figures out his Moms all the time. I could go on and on about his exploits. We are so extremely proud of him.

In fact, ABC 10 News reports, at age 1, precociously button-pushing Kristoffer got past the toddler lock screen on a cell phone by holding down the home key.

Kristoffer, for his part, was thrilled at being listed on Microsoft’s acknowledgement page.

“I’m gonna be famous!” he said, his arms up in the air before he buried his gleeful face in his hands.

Well, we hope so, Kristoffer! If not famous with a capital F, famous in a way that’s going to make for a heck of a story on a college or job application.

Like one of the commenters mentioned, this type of tinkering could well lead to a full scholarship some day.

That would be great. The world of infosec needs more like Kristoffer: a load of talent stuffed into one small package and tied up with a responsible-disclosure bow.

Mom and Dad, you must be very proud. You should be!

Image of from KBTV on ABC 10 News.