• Register
  • TOS
  • Privacy
  • @NeoGAF

surly
Banned
(05-17-2011, 11:23 PM)
surly's Avatar
A guy on Twitter was talking about a vulnerability that allows someone to take ownership of a PSN account using just an email address and date of birth. That same guy has now posted this article on his site: -

I want to make this clear to ALL PSN users. Despite the methods currently employed to force a password change when you first reconnect to the PlayStation network, your accounts still remain unsafe.

A new hack is currently doing the rounds in dark corners of the internet that allows the attacker the ability to change your password using only your account’s email and date of birth.

It has been proven to me through direct demonstration on a test account, so I am without any shadow of a doubt that this is real.

I would suggest that you secure your accounts now by creating a completely new email that you will not use ANYWHERE ELSE, and switching your PSN account to use this new email. You risk having your account stolen, when this hack becomes more public, if you do not make sure that your PSN account’s email is one that cannot be affiliated with or otherwise traced to you.

While we originally assumed this was a poor hoax designed only to stir the community into another frenzy, the individual who we are in contact with requested just two pieces of information from us: this being an account email and the date of birth used for that account. We promptly created a new account via us.playstation.com and provided the individual with the email address and date of birth used.

Roughly a minute later they requested that we try to login with the password we used for the account (which they did not know at any point), and sure enough, we were presented with an invalid username and/or password prompt.

In addition to this, within a few minutes we received an email from Sony stating the following:

This email confirms that your PlayStation(R)Network password account has been changed successfully.

If you did not change your password…
This email has been sent to you because the password for the relevant PlayStation(R)Network account has been changed.
If you did not change your password, please contact Customer Support at the following address:

networksupport@uk.playstation.com

The PlayStation(R)Network Team


To the folks over at N4G, I realize that you may be hesitant to believe these claims however I can assure you that they are true.
Details of the exploit have been distributed via a certain PlayStation 3 “hacks” IRC server and are currently being utilized by a small group of people.

In creating this news article we want only to warn people and illustrate a definite way to protect their account while they can – I find the concept of burying ones head in the sand and refusing to believe something until the details of the exploit become widely known and peoples accounts are being compromised a very illogical way of handling things.

Look at things from my perspective, what options do you have here?, Do nothing, then run the risk of having your account compromised because a small relatively unknown site told you to change your email address and you didn’t listen, or take a few minutes of your time to change your email “Just in case”, then be safe in the knowledge that regardless of the outcome, your account is safe.

We have contacted Sony but do not expect any response until morning.

While we are hesitant to reveal too many details regarding how the exploit is performed, for obvious reason, we can say that the exploit specifically involves the web address https://store.playstation.com/accoun...d.action?token When used in combination with another web address (normally used for password recovery) certain key details can then be extracted and used to trick the server in to allowing the password of an account to be changed without a valid Sony-issued security token.

We will update with further details as soon as possible.

http://sony.nyleveia.com/2011/05/17/...till-not-safe/

This is unconfirmed, but the guy that wrote the article seems convinced and he's contacted Sony to let them know.
Blueblur1
Member
(05-17-2011, 11:24 PM)
Blueblur1's Avatar
I hope this isn't true.
goldenpp72
Member
(05-17-2011, 11:24 PM)
goldenpp72's Avatar
It just keeps coming.
Deadly Joker
Member
(05-17-2011, 11:24 PM)
Deadly Joker's Avatar
OH NO
sazabirules
Member
(05-17-2011, 11:24 PM)
sazabirules's Avatar
This still doesn't add up. They can all of a sudden compromise your account by knowing a DOB and email? You still need the email password.
AceBandage
Banned
(05-17-2011, 11:24 PM)
AceBandage's Avatar
Three more weeks of Winter PSN outage?
LiquidMetal14
hide your water-based mammals
(05-17-2011, 11:25 PM)
LiquidMetal14's Avatar
Where do I donate to these guys /sarcasm.

Stupid idiot hackers.
darkwing
Member
(05-17-2011, 11:25 PM)
darkwing's Avatar
Sony is doomed once again.
iNvid02
Member
(05-17-2011, 11:25 PM)
iNvid02's Avatar
the fuck is this
Davedough
just swallowin' loads
and returnin' favors
(05-17-2011, 11:25 PM)
Davedough's Avatar
But the password manager will be sent to the registered email. If your passwords are different, then they've got nothing.
alr1ght
bish gets all the credit :)
(05-17-2011, 11:26 PM)
alr1ght's Avatar

Originally Posted by sazabirules

This still doesn't add up. They can all of a sudden compromise your account by knowing a DOB and email? You still need the email password.

While we are hesitant to reveal too many details regarding how the exploit is performed, for obvious reason, we can say that the exploit specifically involves the web address https://store.playstation.com/accoun...d.action?token When used in combination with another web address (normally used for password recovery) certain key details can then be extracted and used to trick the server in to allowing the password of an account to be changed without a valid Sony-issued security token.
LiquidMetal14
hide your water-based mammals
(05-17-2011, 11:26 PM)
LiquidMetal14's Avatar

Originally Posted by sazabirules

This still doesn't add up. They can all of a sudden compromise your account by knowing a DOB and email? You still need the email password.

Someone refute this as this is not thread worthy if so. Unless there is no other thread where this is relevant.
confused
Banned
(05-17-2011, 11:26 PM)
confused's Avatar
And so it continues...... Poor Sony (seves them right for shitty security)

Now is the time to kill PSN and start over fresh.
snoopeasystreet
Banned
(05-17-2011, 11:26 PM)
snoopeasystreet's Avatar
Sony just can't catch a break.
canadian crowe
Member
(05-17-2011, 11:26 PM)
canadian crowe's Avatar
I hope this isn't true. If this keeps happening Sony execs are going to have to do a lot more than bow to Playstation owners.
Kagari
Please understand.
(05-17-2011, 11:26 PM)
Kagari's Avatar
[IMG]http://i41.************/2cdbvvd.gif[/IMG]
DevelopmentArrested
Junior Member
(05-17-2011, 11:27 PM)
DevelopmentArrested's Avatar
Not even gonna bother with PSN again. What a joke
maniac-kun
Member
(05-17-2011, 11:27 PM)
maniac-kun's Avatar
god damn it
plainr_
Member
(05-17-2011, 11:28 PM)
plainr_'s Avatar
A guy on twitter.....
Metalmurphy
Banned
(05-17-2011, 11:28 PM)
Metalmurphy's Avatar
UT3MODSPS3@GMAIL.COM / 1983

COME AT ME BRO!
Buckethead
Member
(05-17-2011, 11:28 PM)
Buckethead's Avatar
How reliable is that site?

But lol if true.
EmmanuelMunoz
Member
(05-17-2011, 11:28 PM)
EmmanuelMunoz's Avatar
ffffffffffffffff
Curufinwe
Banned
(05-17-2011, 11:28 PM)
Curufinwe's Avatar
If you do want to change your PSN email, go here and log in.

https://store.playstation.com/login.gvm

I won't be changing mine, but I just did remove my old credit card (that I canceled weeks ago) and I won't be adding another one.
LiquidMetal14
hide your water-based mammals
(05-17-2011, 11:28 PM)
LiquidMetal14's Avatar

Originally Posted by DevelopmentArrested

Not even gonna bother with PSN again. What a joke

Basing it off unconfirmed things at this point. Right.

Be mad at idiots trying to fiddle with things they have no business with.
Erebus
Member
(05-17-2011, 11:28 PM)
Erebus's Avatar
Overreacting over something that's not even confirmed yet. Never change GAF.
dream
(05-17-2011, 11:29 PM)
dream's Avatar
My PS3 truly is the gift that keeps on giving.
XiaNaphryz
LATIN, MATRIPEDICABUS, DO YOU SPEAK IT
(05-17-2011, 11:29 PM)
XiaNaphryz's Avatar

Originally Posted by LiquidMetal14

Someone refute this as this is not thread worthy if so. Unless there is no other thread where this is relevant.

Well, from the OP:

While we are hesitant to reveal too many details regarding how the exploit is performed, for obvious reason, we can say that the exploit specifically involves the web address https://store.playstation.com/accoun...d.action?token When used in combination with another web address (normally used for password recovery) certain key details can then be extracted and used to trick the server in to allowing the password of an account to be changed without a valid Sony-issued security token.

Kagari
Please understand.
(05-17-2011, 11:29 PM)
Kagari's Avatar
Locking for now due to unreliability of random people on twitter.
RPGamer92
Junior Member
(05-17-2011, 11:29 PM)
RPGamer92's Avatar
Please God, no

Thread Tools