bit-gamer.net

PSN password reset vulnerability uncovered

PSN password reset vulnerability uncovered

Sony's password reset system for the restored PlayStation Network has been taken offline.

Sony's password reset system for the restored PlayStation Network, which was taken down by hackers last month and has only recently returned to full functionality, has been revealed to have further vulnerabilities of its own.

Sony has been forced to take down some websites in order to fix the vulnerability, which could allow hackers to change users' passwords and gain access to their accounts.

The vulnerability is based around the password reset system, which requires the email address the PSN account is linked to and the date of birth for the user - information which was compromised in the initial attacks and was not encrypted.

Eurogamer claims to have seen video evidence of the vulnerability being exploited.

'Unfortunately this means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being,' Sony said in an official statement.

'In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information.'

Users are advised to change the passwords associated with their email accounts, to be on the safe side.

Let us know your thoughts in the forums.

17 Comments

Discuss in the forums Reply
Nutyy 18th May 2011, 18:23 Quote
Hmm lots of people i've talked to are having this problem but i had no troubles at all. All i had to do was change password automatically, no hassle and done in less than a minute. Looked at my account details and looking at the random data i entered i'm safe from hackers, anyway im back off to my home town of Nutwood, i hope no hackers come to my house.....
mi1ez 18th May 2011, 18:25 Quote
Hope this one hasn't been known for a week...
AcidJiles 18th May 2011, 18:26 Quote
Sony said they took security seriously. No miscommunication.
Whirly 18th May 2011, 19:00 Quote
Just so long as they're taking security seriously this ti...D'oh!
tad2008 18th May 2011, 21:09 Quote
The data should have been stored encrypted and only takes an extra line of code to handle.

Since the hackers supposedly got the source code as well as the user data they will have the necessary keys for any encryption. All Sony had to do was change their keys add a line of code to encrypt user data, iterate through it all and then force a password reset on ALL user accounts thus preventing any hackers from making use of pre-existing keys or passwords and all their users would then just have to confirm via a link in an email to then change their password to something they would remember.

All elementary stuff tbh.
LordPyrinc 19th May 2011, 04:39 Quote
Considering their continued problems, the hack still smells like an inside job to me.
Malvolio 19th May 2011, 07:10 Quote
How much forethought does it actually take to realise that your entire database has been compromised, and that those whom took it may wish to use it? What does it say of your security and technical teams when before even being put live the simplest of things is egregiously overlooked? I've pondered over a parallel to draw from this situation for nearly twenty minutes now, but I've yet to come up with something so absolutely daft as this one. The first time I heard about the extent to which the network had been compromised the least I expected was for everything to be locked down when PSN came back on-line, and password changes only allowed from the last console used to log-in to the network, at which point in time you force users to change their password along with any form of secret question or such, and completely review their account details in their entirety, allowing for deletion of any detail not specifically wanted (all the better to placate the agitated masses). Anything less would be an insult to a disenfranchised user base one hundred million strong.

But what do I know? I certainly don't make the kind of money those in Sony's digital security department make, so surely they know what's best, right? Right?
Jake123456 19th May 2011, 09:48 Quote
I'm actually loving this :)
BurningFeetMan 19th May 2011, 11:21 Quote
What about if Steam got hacked? Would you love that? Or iTunes? Hell, why stop with online stores? Hospitals, schools and all other kinds of public & private systems!

Yes, there's heaps to love about security breaches and millions of people having their private details exposed and their accounts compromised.
KiNETiK 19th May 2011, 11:23 Quote
This is comedy
SNIPERMikeUK 19th May 2011, 11:23 Quote
This could become an excuse for the PSN store being down longer....
Memnoch-fr 19th May 2011, 11:43 Quote
I'm not a PS hater, but shouldn't this have been obvious ? The website password change should have been locked out until the change had been made via a PS3.

@SNIPERMikeUK : PSN store was always going to be delayed (31st of may deadline)
bobwya 19th May 2011, 17:32 Quote
[QUOTE=BurningFeetMan]What about if Steam got hacked? Would you love that? Or iTunes? Hell, why stop with online stores? Hospitals, schools and all other kinds of public & private systems!
/QUOTE]

I think hackers prefer the low hanging fruit. Developers of Securom, etc. - it was always possibility they might become a target one day...

iTunes is secure btw.
Waynio 20th May 2011, 02:04 Quote
Quote:
Originally Posted by BurningFeetMan
What about if Steam got hacked? Would you love that? Or iTunes? Hell, why stop with online stores? Hospitals, schools and all other kinds of public & private systems!

Yes, there's heaps to love about security breaches and millions of people having their private details exposed and their accounts compromised.

Agreed but this should serve as a warning to other corporations not to mess with hackers too much & sony clearly underestimated what they could do thinking they could handle a determined force, which from my viewpoint looks like they can't especially after them holding their hands up & saying they can't guarantee users security, this says to me they were using the best security available & they still knocked it down.

But it is a scary thought of what could be done if master hackers got together for criminal stuff or deeply bad things .

Or yes it could simply be an inside job, guess we'll never know.
BurningFeetMan 20th May 2011, 09:47 Quote
So, is the reported value of Facebook 50 billion dollars, or is that the data within Facebook that's worth that much?

There are hackers and then there's organized crime. The worst part about online databases, is that once your data is out there, you have zero control. For example, who here has ever tried to close their PayPal account? I have,upon finding out that my PayPal account details were leaked. And to close my account, they wanted me to give them my bank account details! And I was like... To close my unused PayPal account after finding a breach in their security, where spammers started spamming me with details that had only ever been given to PayPal, I had to give Pay Pal my bank account details.

And I still wonder how the hell this breach in Pay Pal's security never made headlines. I guess there's the heavy rollers, and then there's Sony.
Da_Rude_Baboon 20th May 2011, 10:00 Quote
Quote:
Originally Posted by Waynio
which from my viewpoint looks like they can't especially after them holding their hands up & saying they can't guarantee users security.

Only a fool would say they have 100% full proof security. Not only would it be untrue it would make you the number 1 target for any hacker/s wanting to make a name for themselves.
Waynio 20th May 2011, 12:16 Quote
Quote:
Originally Posted by Da_Rude_Baboon
Only a fool would say they have 100% full proof security. Not only would it be untrue it would make you the number 1 target for any hacker/s wanting to make a name for themselves.

I know this but apparently sony didn't or were just too arrogant.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums