According to reports, Sony websites meant to help PlayStation Network users secure their accounts were vulnerable to a simple exploit.
Sony finally brought the PlayStation Network back online this week, in the process releasing a firmware update that required users to reset their passwords just to be safe. Sadly, it looks like Sony can’t catch a break, as some of its websites used to help reset those passwords were also vulnerable to an exploit.
The exploit apparently allowed anyone with a PSN user’s date of birth and email address to change their password without confirmation. This was reportedly information that could have been leaked in the attack on Sony.
Nyleveia first reported on the vulnerability, and it was confirmed by a poster on NeoGAF. Sony made PSN sign-in and password change unavailable on various websites such as PlayStation.com and Qriocity.com around 15 minutes after Nyleveia contacted the company, saying: “This is due to essential maintenance and at present it is unclear how long this will take.” Sony is likely fixing the issue.
Thankfully, even if someone tried to change a user’s password using this exploit the system would send a confirmation email, though the link inside did not need to be clicked. If you didn’t get this email, in addition to an email confirmation about a password change, you’re safe. Changing one’s password through a PlayStation 3 console was not affected by the vulnerability.
This exploit really makes you wonder. Are these kinds of things issues with every company, and Sony merely has a magnifying glass upon it, or is Sony dropping the ball somewhere? Sony may have been the victim of a “highly sophisticated” attack, but for the password reset system to be vulnerable in such a simple way is really a “WTF” moment in light of the recent PSN debacle.
*UPDATE* To clarify, Sony’s Patrick Seybold explains on the PlayStation Blog that there was no hacking or hackers involved here. “We temporarily took down the PSN and Qriocity password reset page,” he writes. “Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.”
He recommends that anyone still needing to change their password do so through a PS3 console. It can be done through web-related means once the websites go back up.