• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Sony had an exploit on their PSN password recovery page and is now fixed

Status
Not open for further replies.

Benedict

Member
So... is my info safe now?

I'm having a meltdown in my brain right now, after coming home from work, battling with computers and IT-support from the year 1945...
 

Massa

Member
MarkMclovin said:
Hold on. If you had to click on the link that was sent to your email - of which only you have access to - then how was that done?

Have I missed something here?

He didn't have to click anything.

When you request a new password Sony e-mails you a token that allows you to change it on their website. The problem here is that the person who requested that token somehow got access to it without having to read the e-mail Sony sent (or they found a way to reset the password without the token at all, but that's much more unlikely).
 
This will require at least 10 more little japanese men bowing before they earn my trust back.



Can't wait to see the excuses in this thread. This company is fucked up and they don't give a shit about your security.
 
So essentially, the URL had a '&=username&dateofbirth' type string in it and it wasn't salted?

And that went past three independent security experts? Sheesh - get your consulting fees back from them, Sony.
 
kurtrussell said:
So essentially, the URL had a '&=username&dateofbirth' type string in it and it wasn't salted?

And that went past three independent security experts? Sheesh - get your consulting fees back from them, Sony.

Yeah... no.
 

brentech

Member
kurtrussell said:
Care to tell me what "shit" I brought from behind the safety of your keyboard?
Threats are cool.

Anyways, the whole otherOS and firmware shit simply doesn't end well, specially in a thread that has nothing to do with it. I'm simply saying don't reach here, as it has got many others banned, but if that's how you choose to respond it's probably for the better.
 

XiaNaphryz

LATIN, MATRIPEDICABUS, DO YOU SPEAK IT
gofreak said:
Rather frightening that this could slip through (supposedly) multiple independent audits by external experts.
That's the key word - considering the amount of money this is going to cost them overall, what if they skimped out and did the bare minimum in this area trying to find cost-savings?
 

Evlar

Banned
Massa said:
He didn't have to click anything.

When you request a new password Sony e-mails you a token that allows you to change it on their website. The problem here is that the person who requested that token somehow got access to it without having to read the e-mail Sony sent (or they found a way to reset the password without the token at all, but that's much more unlikely).
Which would indicate the "token" can somehow be determined from the data embedded in the original password reset page or from the personal data someone would already possess at that point in the reset process.
 

TTP

Have a fun! Enjoy!
test_account said:
What did Japan say?

They aren't allowing PSN restoration in Japan until Sony provides some proof of increased security.

Japan is still PSN-less.
 

gofreak

GAF's Bob Woodward
XiaNaphryz said:
That's the key word - considering the amount of money this is going to cost them overall, what if they skimped out and did the bare minimum in this area trying to find cost-savings?

Given what it cost them in revenue, I really doubt it - the fees to bring in these people would be miniscule in comparison to what the amount of offline time was costing them, and they didn't 'skimp' on that amount of time.
 

Fersis

It is illegal to Tag Fish in Tag Fishing Sanctuaries by law 38.36 of the GAF Wildlife Act
TTP said:
I don't see it in my URL.
The 'haxxorz' need the email and Date of Birth to 'haxx'
Because thats why you need to reset the account password.

The 'haxx' itself must be a way to get the password reset email from SONY and then change the URL.

But well theyre fixing it now.
 
XiaNaphryz said:
That's the key word - considering the amount of money this is going to cost them overall, what if they skimped out and did the bare minimum in this area trying to find cost-savings?



then it would be the original hack all over again.
 

TTP

Have a fun! Enjoy!
Fersis said:
The 'haxxorz' need the email and Date of Birth to 'haxx'
Because thats why you need to reset the account password.

The 'haxx' itself must be a way to get the password reset email from SONY and then change the URL.

But well theyre fixing it now.

Yeah, I know that. I'm just saying that info is not present in the verification url.
 

Hanmik

Member
Smision said:
This will require at least 10 more little japanese men bowing before they earn my trust back.



Can't wait to see the excuses in this thread. This company is fucked up and they don't give a shit about your security.

do you want to join the "club"..?

Pu6rf.jpg
 

test_account

XP-39C²
TTP said:
They aren't allowing PSN restoration in Japan until Sony provides some proof of increased security.

Japan is still PSN-less.
True, but the security can still be improved :) It just depends on what type of proof they need and how they want to aquire this proof, maybe it takes some time. I wonder what type of proof they want to see.
 

Tntnnbltn

Member
test_account said:
I see. If that is the case, then it is pretty crazy, being able to change anyone's PSN password just by using Sony's own website. It will probably not be a big problem in general since you need the date of birth info to be able to do it, and Sony will most likely fix it now, but still.
Lucky for us there haven't been any major intrusions in PSN security recently that, among other things, revealed people's DOBs...
 

TTP

Have a fun! Enjoy!
test_account said:
True, but the security can still be improved :) It just depends on what type of proof they need and how they want to aquire this proof, maybe it takes some time. I wonder what type of proof they want to see.

I wonder that as well.

This password reset thing doesn't help matters tho. :D
 

Zoe

Member
larvi said:
Great, and the DoB was the one thing that it doesn't appear I can change in my profile. I changed my other personal information to bogus info but couldn't figure out how to change that. Does anyone know a way to do it?

That is the one thing you will never be able to change (at least by yourself). There are implications for access controls and internet laws.
 

test_account

XP-39C²
Tntnnbltn said:
Lucky for us there haven't been any major intrusions in PSN security recently that, among other things, revealed people's DOBs...
That is a good point, i actually thought about that :) But unless that info get widespread on the net (which hasnt happened yet as far as i know), i dont think that it will be a big problem in general, and especially now that Sony fixes this problem (most likely).


TTP said:
I wonder that as well.

This password reset thing doesn't help matters tho. :D
True hehe :\ Hopefully for people in Japan/Asia, this wont delay PSN getting back for a long time.
 
kurtrussell said:
Any news on Sony UK and the Data Protection Act? From what I've had constantly drummed into me over the last seven years, Sony could theoretically be fined a large amount per breached account...

Play.com didn't get fined, the government didn't get fined, the MoD didn't get fined. No one gets fined.
 

TTP

Have a fun! Enjoy!
Tntnnbltn said:
Lucky for us there haven't been any major intrusions in PSN security recently that, among other things, revealed people's DOBs...

Mandatory firmware 3.62 to force DoB change! That would be funny.
 

chubigans

y'all should be ashamed
We're all responsible for Sony's security. Like a neighborhood watch program.

Good job everyone, mission accomplished!
 

Clear

CliffyB's Cock Holster
Tntnnbltn said:
Lucky for us there haven't been any major intrusions in PSN security recently that, among other things, revealed people's DOBs...

To which point the obvious retort is, if you've already been hacked and your personal information mined, what's being lost by getting hacked again especially when all e-commerce is suspended?

Seems like griefing to me.
 

TTP

Have a fun! Enjoy!
Clear said:
To which point the obvious retort is, if you've already been hacked and your personal information mined, what's being lost by getting hacked again especially when all e-commerce is suspended?

Seems like griefing to me.

Well, you can say that because we have discovered about this exploit now.

Imagine if we didn't, and soon after the Store was back up you find out you can't log in (wrong password) and on top of that you get emails confirming purchases from the Store you never did.
 
Hanmik said:
do you want to join the "club"..?

http://i.imgur.com/Pu6rf.jpg[/IG][/QUOTE]


really? this is how you guys are responding these days...ok, two can play---



[img]http://4.bp.blogspot.com/_ce8nz6K9xj8/SolYvQ5fd0I/AAAAAAAAASs/_8Nj11wV6XU/s320/StockholmSyndromeDerekWebb.jpg
 

Loudninja

Member
TTP said:
Well, you can say that because we have discovered about this exploit now.

Imagine if we didn't, and soon after the Store was back up you find out you can't log in (wrong password) and on top of that you get emails confirming purchases from the Store you never did.
Yep.
 
Metalmurphy said:
That's the exploit. They managed to do it by manually changing the URL or something, without need to click the confirmation link that was only sent to the email.

Ah I get it now thanks.

Maybe there is no randomnes to that URL that you need to click on apart from your email address and DOB within it?
 

Azih

Member
XiaNaphryz said:
That's the key word - considering the amount of money this is going to cost them overall, what if they skimped out and did the bare minimum in this area trying to find cost-savings?
Sony's a biig company, I wouldn't be surprised if Sony hired people to comb through the back end and didn't think of doing the same for their web front end.
 
Status
Not open for further replies.
Top Bottom