Sometimes news of poor security hits and it sends the whole web-o-sphere into panic. Heartbleed was an example of one such story. Other times, one can't help but to get a laugh out of weak security. A story that hit last week worth a laugh involved an Xbox account being hacked not by a teenager with a lot of time on his hands, not by a world class
hacker or cyber criminals, but by a five year old kid who wanted to play some games he didn't have access to.
Shortly after Christmas last year, the child's parents caught him playing games on the
Xbox that he shouldn't have been able to play, having somehow hacked his father's account to buy any game he pleased.
When asked how he broke into the account, the method used turned out to be... well, kind of ridiculous. He had tried guessing a password to his father's account. When that didn't work, he was taken to a password verification screen where... he hit the space-bar a bunch of times and logged in.
Interestingly,
Microsoft actually offers a $10,000 bounty to hackers who can crack their system. Given that this seems to have been more of a fluke than a targeted hack, the family didn't get to reap the rewards, but it's kind of funny that educated, technical-minded hackers looking for backdoors and weak points have nothing on a little kid who really wants to play Minecraft.
Microsoft has fixed the hack, so don't bother trying to score some free games. In the future, a few tips that security professionals might want to keep in mind:
- Don't Just Rely on Professionals
A professional coder is thinking from a professional perspective. They're not looking for dumb hacks that any five year old kid could employ, they're looking for, well, a challenge. When you put a $10,000 bounty on finding security flaws, hackers are looking for a ten thousand dollar hack.
- Keep a Five Year Old on the Payroll
Child labor laws probably won't allow this, but rewarding children and casual gamers who can hack the system with free games or whatever prizes are appropriate to your website or gaming service wouldn't be a bad idea. You never know who's going to discover your weak points, so extending bounties to anyone who can find them can help to bring these weaknesses to light in the future.
- Double Verification Can be Annoying, but Necessary
We might not like typing our credit card number in for every single purchase, but adding an extra
security wall after
login, at least where money is involved, can help to prevent unauthorized payments, so that even if someone can hack your Xbox Live or Steam account, they won't necessarily be able to make purchases in your name.
"Sometimes security science may seem like it's more, well, art than science," said Jason Hope, tech expert (
https://medium.com/@jasonhope) "but with a rigorous approach to developing and testing systems for passwords, verification and online signatures, it's not impossible to build a rock-solid security setup." The five year old hacker doesn't get to keep all the games he bought, but if he keeps at it, he may one day land a job as a professional
White Hat hacker. Companies like Sony and Facebook are known to hire professional hackers on a part time and full time basis in order to explore their security systems' flaws and offer tips to improve their verification processes.
Fortunately, it doesn't seem as if the hack has been discovered prior to now, as nobody seems to be coming forward with stories of having their accounts hijacked with the spacebar hack. Most of all, the whole affair has just been a little embarrassing for Microsoft, who generally has a better track record than this when it comes to online security.
In the aftermath of this, it's easy to imagine hundreds of gamers trying similar hacks on the
PlayStation Network, Steam and Xbox Live in hopes of scoring a bounty, or at least a few games.