[UPDATE] PSN Password Reset Vulnerable to Exploit

 Pages 1 2 3 NEXT
 

[UPDATE] PSN Password Reset Vulnerable to Exploit

image

According to reports, Sony websites meant to help PlayStation Network users secure their accounts were vulnerable to a simple exploit.

Sony finally brought the PlayStation Network back online this week, in the process releasing a firmware update that required users to reset their passwords just to be safe. Sadly, it looks like Sony can't catch a break, as some of its websites used to help reset those passwords were also vulnerable to an exploit.

The exploit apparently allowed anyone with a PSN user's date of birth and email address to change their password without confirmation. This was reportedly information that could have been leaked in the attack on Sony.

Nyleveia first reported on the vulnerability, and it was confirmed by a poster on NeoGAF. Sony made PSN sign-in and password change unavailable on various websites such as PlayStation.com and Qriocity.com around 15 minutes after Nyleveia contacted the company, saying: "This is due to essential maintenance and at present it is unclear how long this will take." Sony is likely fixing the issue.

Thankfully, even if someone tried to change a user's password using this exploit the system would send a confirmation email, though the link inside did not need to be clicked. If you didn't get this email, in addition to an email confirmation about a password change, you're safe. Changing one's password through a PlayStation 3 console was not affected by the vulnerability.

This exploit really makes you wonder. Are these kinds of things issues with every company, and Sony merely has a magnifying glass upon it, or is Sony dropping the ball somewhere? Sony may have been the victim of a "highly sophisticated" attack, but for the password reset system to be vulnerable in such a simple way is really a "WTF" moment in light of the recent PSN debacle.

*UPDATE* To clarify, Sony's Patrick Seybold explains on the PlayStation Blog that there was no hacking or hackers involved here. "We temporarily took down the PSN and Qriocity password reset page," he writes. "Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed."

He recommends that anyone still needing to change their password do so through a PS3 console. It can be done through web-related means once the websites go back up.

Source: Eurogamer

Permalink

Glad I just did it on my PS3. Kind of sad these hackers have nothing better to do, at this point Sony should just give them Linux so they can show people just wanted to get free games not another OS. Then when PS4 comes out and doesn't do shit besides play games, people won't wonder why. "It only does games."

It's a lot of sites. A password reset is one of the easiest ways to steal someone's account. This is how I got my World of Warcraft account stolen. You are especially screwed if the hacker knows your password to your e-mail which is how my WoW got hacked in the first place.

The best way I have seen it done is with authenticators. I have one for WoW and one for FFXIV. I wouldn't mind having them for my PSN or XBox Live but I know a lot of people would be annoyed to have to type in an 6 digit number every time they log into either. I wouldn't care because it would be secure!

... Sony just can get a brake. This is like kicking the guy in the nuts and then repeat the assault while laughing manically like a joker rip off.

I changed mine on my PS3 and checked my email anyway, so I'm safe. Well, unless there's something else. But let's not be ridiculous. There's no way there could be anything...else...right?

auronvi:
It's a lot of sites. A password reset is one of the easiest ways to steal someone's account. This is how I got my World of Warcraft account stolen. You are especially screwed if the hacker knows your password to your e-mail which is how my WoW got hacked in the first place.

Agreed; it just sucks for Sony that this was found now.

Sites *should* require more information to let you change passwords, with the more "important" log ins needing more information. It's a trade off, and too many sites err on the wrong side.
At the very least, it should have required the email's link to be clicked before changing the password.

auronvi:
It's a lot of sites. A password reset is one of the easiest ways to steal someone's account. This is how I got my World of Warcraft account stolen. You are especially screwed if the hacker knows your password to your e-mail which is how my WoW got hacked in the first place.

The best way I have seen it done is with authenticators. I have one for WoW and one for FFXIV. I wouldn't mind having them for my PSN or XBox Live but I know a lot of people would be annoyed to have to type in an 6 digit number every time they log into either. I wouldn't care because it would be secure!

even easier if you happen to have both passwords the exact same.

Happened in WoW and Runescape, but I always just hit an eight digit password instead of words or phrases.

OT: Sony, just give up and let another company fix everything for you, please?

this is starting to get embarrassing for everyone.

But, at the very least, Sony might learn from this and the PS4 might actually be worth it.

...

Really? Can these guys just stop? Sony's been through enough already. That's coming from a PC/360 user, too.

AstylahAthrys:
...

Really? Can these guys just stop? Sony's been through enough already. That's coming from a PC/360 user, too.

They guys who found out about it let Sony know about it.

Geez, Sony can't catch a break, huh? The whole PSN crisis has been one setback after another snowballing into a perfect pile of shit. I don't have a PS3 myself, but I know plenty of people who do. I could only imagine what would happen if something like this happened to Xbox Live...

luvd1:
... Sony just can get a brake. This is like kicking the guy in the nuts and then repeat the assault while laughing manically like a joker rip off.

A brake? They must already have one. How do they stop their cars if they don't have brakes?

I'm betting the same vulnerabilities exist everywhere. Sony's just had the pressure on to get these systems in place asap and have everyone checking in detail everything they do because it's news.

Still, I'd think someone out there got raked over the coals over this one. Bad luck for them.

There is never an end to this entire shitstorm, is there?

Uncle_Brainhorn:

luvd1:
... Sony just can get a brake. This is like kicking the guy in the nuts and then repeat the assault while laughing manically like a joker rip off.

A brake? They must already have one. How do they stop their cars if they don't have brakes?

.... I hate the ipad's spell check sometimes.

gphjr14:
Glad I just did it on my PS3. Kind of sad these hackers have nothing better to do, at this point Sony should just give them Linux so they can show people just wanted to get free games not another OS. Then when PS4 comes out and doesn't do shit besides play games, people won't wonder why. "It only does games."

Yeah, why can't they do something useful, like play games on their television sets.

The OtherOS stuff has nothing to do with game piracy.

Hmm...might have to sue Escapist for causing me serious injury.

Was laughing so hard I actually fell off the chair...

<--Owns a PS3 that's been modified so far the only thing it's got in common with stock is the Sony logo on the bottom sticker(can't get rid of it, polish remover not working, any ideas?).
Hack my account, please:P

No, Sony isn't any different than a bunch of other sites. Both Microsoft & Apple's ID's aren't that hard if you just have a few simple pieces of info. This is an overarching problem that isn't going away with Sony making a few adjustments.

You have got to be kidding me. The ineptitude of this company just keeps revealing itself. I was thinking of going with a PS3 soon and now I am not so sure.

Oh dear; I began to laugh and my ass has fallen off.

Now my pants don't fit and I can't sit down.

This is unacceptable.

At this rate i am just going to assume the lack of information on the hacked was due to sony not knowing they had been hacked.As this is getting stupid okay i understand having a flaw with your password reset as its the easiest thing to use to hack someones account.

But when a independent website and a random user have to make you aware of the secruity flaw that is just ridiculous. what are your secruity team actually doing as at this rate if sony say there secruity team consist of 12 howler monkeys i would not be too surprised

Glad my birthday isn't on my account, nor my name, or any of that stuff.
Pretty sure what's described is pretty typical tools for phishing.

AstylahAthrys:
...

Really? Can these guys just stop? Sony's been through enough already. That's coming from a PC/360 user, too.

Looks like someone didn't read the article before start commenting.

gphjr14:
Glad I just did it on my PS3. Kind of sad these hackers have nothing better to do, at this point Sony should just give them Linux so they can show people just wanted to get free games not another OS. Then when PS4 comes out and doesn't do shit besides play games, people won't wonder why. "It only does games."

You are right, when they say "It only does games" people will expect that.. Just as when they say "it does other things" they should expect it to do other things, I don't recall them stating "It'll do other things, for awhile anyways... then we're going to stop allowing you to do that"

Just change the password through a console, not a website. It's really that simple. I feel the need to point out that ALMOST EVERY web login will reset your password with only the email addy, so this is a two-part key needed to even start the ploy. Not a very big threat profile AT ALL.

Honestly what are you expecting... a company that has a billion customers had to completely redesign their entire security system in under a month isn't going to do so carefully, or critically, they are going to get things done as fast as possible, which will also mean they will most likely miss a few things...

I'm not surprized something as simple as this is happening, when you design a system, you get tunnel vision, thats why you get others to look at it and make sure it's been covered by all angles, when your rushing the release, you have less/no time to do so...

eharriett:
No, Sony isn't any different than a bunch of other sites. Both Microsoft & Apple's ID's aren't that hard if you just have a few simple pieces of info. This is an overarching problem that isn't going away with Sony making a few adjustments.

Difference is Microsoft and Apple don't hand over everyones personal information making such hacking so much easier... Sony JUST had a huge leak of personal info which is exactly the type of thing they can use to steal your accounts... Even if they call up support and are asked questions on every bit of personal information Sony has on you, they can get them all right... It's just careless to have such a flaw in your system knowing that such information was just leaked.

SaintWaldo:
Just change the password through a console, not a website. It's really that simple. I feel the need to point out that ALMOST EVERY web login will reset your password with only the email addy, so this is a two-part key needed to even start the ploy. Not a very big threat profile AT ALL.

You don't really understand do you?
THEY can change your password without your knowledge... so if you fail to change your account before they do, you have lost your account... The difference between this and every other password reset system is that most give you a temporary URL to "authenticate" the change, which is sent to your email address for you to confirm the change... thus if they don't have access to your email, nothing will happen... Sony's doesn't have such verification, and is thus vulnerable... Thats a pretty big hole.

As a precaution you should have a seperate email for any online account that would be a target anyway (such as game accounts, bank, insurance, etc)

AstylahAthrys:
...

Really? Can these guys just stop? Sony's been through enough already. That's coming from a PC/360 user, too.

Yeah they really should have kept quiet for a few weeks and let some people with malice find this out instead. :P

Yeah, it may be similar in other sites. But that is no excuse. This is a security flaw and should that shouldn't be forgiven. Yes, Sony had a pretty rough month, but it is not the customers fault that there was vulnerabilities in the system. So Sony is not getting sympathy from me. It is their job to make sure that your information isn't leaked. They failed at it (with this, it can be said that it happened twice), so I'm not saying poor Sony. I'im saying do something about it.

Straying Bullet:
There is never an end to this entire shitstorm, is there?

If you owned a psp, you would already know that the answer to that is No.

Oh goody *clap clap* kick a man while he's down now thats nice. I miss being able to play LBP2 online its annoying that people wont give them a break.

I thought the whole point of the "You have to get the e-mail and use the included link within 24 hours or it expires to change your password from the web" set-up was so that this exact scenario could NOT happen.

At least the people who found it reported it to Sony and Sony acted on the information as soon as possible. Now, whoever found this exploit might not actually be a hacker in the traditional definition, but this is the sort of thing good hackers do: find exploits and report them so that companies can fix them. This is why not all hackers should be shot or launched into the sun or whatever other stupid scenarios people have ranted about doing to hackers because of the person or people who hacked PSN.

Now, if Sony hadn't taken away Other OS (and backwards compatibility for that matter (try to find a PS2 if yours craps out; g'wan, I dare you)), this probably wouldn't be happening.

Amondren:
Oh goody *clap clap* kick a man while he's down now thats nice. I miss being able to play LBP2 online its annoying that people wont give them a break.

Kicking a man? That's wrong.
Kicking a multi-billion dollar company that gave us such wondrous gifts as SecuROM and the BMG rootkit? That's FUN...

 Pages 1 2 3 NEXT

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here