Kristoffer Von Hassel managed to log in to his father's Xbox Live account. When the password log-in screen appeared, Kristoffer simply hit the space button a few times and hit enter.
Robert Davies told KGTV-TV that just after Christmas he noticed his son playing games he supposedly could not access.
Mr Davies, who works in computer security, said he reported the issue to Microsoft, which fixed the bug and listed Kristoffer on its website as a "security researcher".
A Microsoft statement said "we take security seriously" and thanked customers for highlighting issues.
It is not Kristoffer's first triumph. As a one-year-old, he bypassed a mobile phone toddler lock by holding down the "home" button.