My 5 year old has figured out how to exploit the XBox One Console to gain access to my XBox Live account.

March 5, 2014, Microsoft has pushed an update to the XBone fixing this security hole.

This was originally covered by ABC 10 News in San Diego:

He did find this vulnerability himself, without any help from us. We realized something was odd when he started getting to YouTube and some other games.

Lucky for us, he is still young enough to give brutal honesty and gave himself up. This was the video taken by me, so I could try to reproduce the bug later. I failed and got locked out of my account after the 4th or 5th attempt. After resetting it, Kristoffer suggested it was because the Kinect can see me and asked me to move out of sight of the device. I did and it worked.

He had also originally thought that he needed to enter XYXY as my PassKey multiple times before entering in spaces as the password. He was just getting the PassKey wrong 3 times and bringing up a Password Verification screen, as it couldn’t verify my PassKey. From that password screen, he would fill the screen with spaces by pushing the Y button on the controller. After refining the number of spaces, we were able to determine only 1 space, pushing the Y button once, and then Enter, still logged the account in.

When reporting this to MSRC, they could not reproduce the findings at first. After suggesting turning off the Kinect or standing out of the field of view, they were able to reproduce it and issue me a case number for the problem.

Kristoffer was presented with the choice of telling Microsoft about the problem and having it fixed, or releasing the video on YouTube and submitting a bulletin to FullDisclosure. He decided having it fixed before telling anyone about it would save people from having their XBox’s stolen. Responsible Disclosure was the route he wanted to take, and his Mom and I could not be more proud.

To further clarify, no, my password was NOT all spaces. It was 13 unique characters. Numbers, Letters and Symbols.

This is not his first time exploiting things:
Bypass wireless network ACL’s blocking YouTube by running his own CAT5.
Exit out of ToddlerLock, NOT the lockscreen, at 1 year old. No, he did not hit the corners counter-clockwise, he used his own method that he could not read about.
He takes advantage of finger smudges on lock screens to guess phone passcodes – ask his Oma who submitted this story to the news in the first place.
And my favorite, he Social Engineers his mother to steal her tech ALL the time!

And please don’t forget, he has MANY talents like all kids:
Avid Reader (above grade level)
Natural Disaster Researcher (He likes tornadoes A LOT!)
LEGO Builder
Minecraft Builder

He does go to the library at least once a week, and has spent his allowance on books many times.

Thank you all to have read the whole thing directly from the source.