You have to wonder how this bug got past QA.
San Diego news station KGTV reports that 5-year-old Kristoffer Von Hassel found a way to hack into his father's Xbox One account and play games he wasn't supposed to be playing. He was later rewarded with money and new games.
According to the report, Kristoffer's parents began to notice he was logging into his father's account right after Christmas. Eventually, the boy's father, computer security researcher Robert Davies, asked how he managed to hack the account.
Kristoffer revealed that all he had to do was type in the wrong password for his father's account at the login screen. The console then displayed a second password verification screen where he entered nothing but spaces and hit enter. Voila! He had access to his father's account… just like that.
"How awesome is that!" Davies told the news channel. "Just being 5 years old and being able to find a vulnerability and latch onto that. I thought that was pretty cool."
Robert Davies reported the bug to Microsoft on behalf of his son. In turn, Microsoft acknowledged Kristoffer among a list of security researchers that have helped make the Windows platform a safer place to play and work.
"We're always listening to our customers and thank them for bringing issues to our attention," Microsoft told the news channel. "We take security seriously at Xbox and fixed the issue as soon as we learned about it."
In addition to the acknowledgement, Microsoft is also giving the boy a year-long subscription to Xbox Live, $50 USD, and four games. Meanwhile, Microsoft reports that the vulnerability has been resolved.
Was Microsoft a bit careless with this security flaw? After all, Christoffer only had to hit the spacebar a few times in order to access a forbidden account. What if it wasn't a 5-year-old boy, but a thief looking for additional personal information?