[surly]

A guy on Twitter was talking about a vulnerability that allows someone to take ownership of a PSN account using just an email address and date of birth. That same guy has now posted this article on his site: -

Quote:

I want to make this clear to ALL PSN users. Despite the methods currently employed to force a password change when you first reconnect to the PlayStation network, your accounts still remain unsafe. A new hack is currently doing the rounds in dark corners of the internet that allows the attacker the ability to change your password using only your account’s email and date of birth. It has been proven to me through direct demonstration on a test account, so I am without any shadow of a doubt that this is real. I would suggest that you secure your accounts now by creating a completely new email that you will not use ANYWHERE ELSE, and switching your PSN account to use this new email. You risk having your account stolen, when this hack becomes more public, if you do not make sure that your PSN account’s email is one that cannot be affiliated with or otherwise traced to you. While we originally assumed this was a poor hoax designed only to stir the community into another frenzy, the individual who we are in contact with requested just two pieces of information from us: this being an account email and the date of birth used for that account. We promptly created a new account via us.playstation.com and provided the individual with the email address and date of birth used. Roughly a minute later they requested that we try to login with the password we used for the account (which they did not know at any point), and sure enough, we were presented with an invalid username and/or password prompt. In addition to this, within a few minutes we received an email from Sony stating the following: This email confirms that your PlayStation(R)Network password account has been changed successfully. If you did not change your password… This email has been sent to you because the password for the relevant PlayStation(R)Network account has been changed. If you did not change your password, please contact Customer Support at the following address: networksupport@uk.playstation.com The PlayStation(R)Network Team To the folks over at N4G, I realize that you may be hesitant to believe these claims however I can assure you that they are true. Details of the exploit have been distributed via a certain PlayStation 3 “hacks” IRC server and are currently being utilized by a small group of people. In creating this news article we want only to warn people and illustrate a definite way to protect their account while they can – I find the concept of burying ones head in the sand and refusing to believe something until the details of the exploit become widely known and peoples accounts are being compromised a very illogical way of handling things. Look at things from my perspective, what options do you have here?, Do nothing, then run the risk of having your account compromised because a small relatively unknown site told you to change your email address and you didn’t listen, or take a few minutes of your time to change your email “Just in case”, then be safe in the knowledge that regardless of the outcome, your account is safe. We have contacted Sony but do not expect any response until morning. While we are hesitant to reveal too many details regarding how the exploit is performed, for obvious reason, we can say that the exploit specifically involves the web address https://store.playstation.com/accoun...d.action?token When used in combination with another web address (normally used for password recovery) certain key details can then be extracted and used to trick the server in to allowing the password of an account to be changed without a valid Sony-issued security token. We will update with further details as soon as possible.

http://sony.nyleveia.com/2011/05/17/...till-not-safe/

This is unconfirmed, but the guy that wrote the article seems convinced and he's contacted Sony to let them know.

[Blueblur1]

I hope this isn't true.

[goldenpp72]

It just keeps coming.

[Deadly Joker]

OH NO

[sazabirules]

This still doesn't add up. They can all of a sudden compromise your account by knowing a DOB and email? You still need the email password.

[AceBandage]

Three more weeks of Winter PSN outage?

[LiquidMetal14]

Where do I donate to these guys /sarcasm.

Stupid idiot hackers.

[darkwing]

Sony is doomed once again.

[iNvid02]

the fuck is this

[Davedough]

But the password manager will be sent to the registered email. If your passwords are different, then they've got nothing.

[alr1ght]

Originally Posted by sazabirules:

This still doesn't add up. They can all of a sudden compromise your account by knowing a DOB and email? You still need the email password.

While we are hesitant to reveal too many details regarding how the exploit is performed, for obvious reason, we can say that the exploit specifically involves the web address https://store.playstation.com/accoun...d.action?token When used in combination with another web address (normally used for password recovery) certain key details can then be extracted and used to trick the server in to allowing the password of an account to be changed without a valid Sony-issued security token.

[LiquidMetal14]

Originally Posted by sazabirules:

This still doesn't add up. They can all of a sudden compromise your account by knowing a DOB and email? You still need the email password.

Someone refute this as this is not thread worthy if so. Unless there is no other thread where this is relevant.

[confused]

And so it continues...... Poor Sony (seves them right for shitty security)

Now is the time to kill PSN and start over fresh.

[snoopeasystreet]

Sony just can't catch a break.

[canadian crowe]

I hope this isn't true. If this keeps happening Sony execs are going to have to do a lot more than bow to Playstation owners.

[Kagari]

[IMG]http://i41.************/2cdbvvd.gif[/IMG]

[DevelopmentArrested]

Not even gonna bother with PSN again. What a joke

[maniac-kun]

god damn it

[plainr_]

A guy on twitter.....

[Metalmurphy]

UT3MODSPS3@GMAIL.COM / 1983

COME AT ME BRO!

[Buckethead]

How reliable is that site?

But lol if true.

[EmmanuelMunoz]

ffffffffffffffff

[Curufinwe]

If you do want to change your PSN email, go here and log in.

https://store.playstation.com/login.gvm

I won't be changing mine, but I just did remove my old credit card (that I canceled weeks ago) and I won't be adding another one.

[LiquidMetal14]

Originally Posted by DevelopmentArrested:

Not even gonna bother with PSN again. What a joke

Basing it off unconfirmed things at this point. Right.

Be mad at idiots trying to fiddle with things they have no business with.

[Erebus]

Overreacting over something that's not even confirmed yet. Never change GAF.

[dream]

My PS3 truly is the gift that keeps on giving.

[XiaNaphryz]

Originally Posted by LiquidMetal14:

Someone refute this as this is not thread worthy if so. Unless there is no other thread where this is relevant.

Well, from the OP:

Quote:

While we are hesitant to reveal too many details regarding how the exploit is performed, for obvious reason, we can say that the exploit specifically involves the web address https://store.playstation.com/accoun...d.action?token When used in combination with another web address (normally used for password recovery) certain key details can then be extracted and used to trick the server in to allowing the password of an account to be changed without a valid Sony-issued security token.

[Kagari]

Locking for now due to unreliability of random people on twitter.

[PSFan]

Please God, no