NeoGAF

Metalmurphy · 12:52 PM

This is a continuation on this story:
http://www.neogaf.com/forum/showthread.php?t=430519

First, to avoid unnecessary panic, let me just say that Sony already took the page down, and are most likely fixing it, and if you were a victim of this, you would get an email warning someone had changed your password, so if you didn't, you're safe.

Now to the whole story:
This guy on twitter ( http://twitter.com/#!/Nyleveia ) was claiming there was an exploit on the password recovery page that allowed anyone with a matching PSN login address and Date of Birth could change your password without you confirming it. Personally I didn't believe him so I gave him my login and dob. He didn't reply for a long time so I went to sleep. This morning however I got these 2 emails.

Sender details

Quote:

Delivered-To: ut3modsps3@gmail.com
Received: by 10.101.161.8 with SMTP id n8cs99097ano;
Wed, 18 May 2011 02:43:45 -0700 (PDT)
Received: by 10.68.66.8 with SMTP id b8mr2517501pbt.425.1305711824553;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Return-Path: <DoNotReply@ac.playstation.net>
Received: from lvp-sys-prdmx03.sonynei.net (mx3.sonynei.net [173.230.215.35])
by mx.google.com with ESMTP id x9si4116720pbj.255.2011.05.18.02.43.44;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) client-ip=173.230.215.35;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) smtp.mail=DoNotReply@ac.playstation.net
Received: from lvp-p1-npmailt01.sonynei.net (unknown [10.238.58.8])
by lvp-sys-prdmx03.sonynei.net (Postfix) with ESMTP id 2C527BDE2467
for <UT3MODSPS3@gmail.com>; Wed, 18 May 2011 02:28:51 -0700 (PDT)
Date: Wed, 18 May 2011 02:28:51 -0700 (PDT)
From: DoNotReply@ac.playstation.net
To: UT3MODSPS3@gmail.com
Message-ID: <2119057556.2606738.1305710931181.JavaMail.tomcat@lvp-p1-npmailt01.sonynei.net>
Subject: =?ISO-2022-JP?B?W1BsYXlTdGF0aW9uKFIpTmV0?=
=?ISO-2022-JP?B?d29ya10gGyRCJVElOSVvITwlSUpROTkkTiQqQ04kaSQ7GyhC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit

The first one is saying that someone had requested to change my password, and that I needed to click the confirmation link to continue. All normal for now, supposedly only people with access to the login address can change it then. HOWEVER the second email is a confirmation that the password was changed and I never clicked the confirmation link... So yeah... my password was successfully changed by someone else.

And where the story gets even more interesting is that Sony are just lying about it. This is their latest tweets.

Quote:

"Clarification: this maintenance doesn't affect PSN on consoles, only the website you click through to from the password change email."
"Fortunately we have got ISPs to release outstanding emails; unfortunately, a small amount of maintenance is required to improve this process"

Improve email process my ass. They took the password recovery page down because of this problem. Nyleveia warned about it, as confirmed by the latest tweet:

Quote:

"@PlayStationEU - Thank you for the speedy response guys"

(the tweets warning about the exploit were removed, most likely cause Sony asked him to)

And now they're fixing the problem.

Honestly, I was never bothered by the original hack, no network is secure and I think Sony wasn't to blame and that they handled the entire thing by the book and quite well. This however... this is 100% on them, and what bothers me the most is that they're lying about it.

Jarmel · (05-18-2011, 12:28 PM)

Lol so do you even know the password to your own account?

Square Triangle · (05-18-2011, 12:28 PM)

Sony just keeps on surprising us!

lawblob · (05-18-2011, 12:29 PM)

Here we go again!

Buckle up!

iNvid02 · (05-18-2011, 12:30 PM)

just a DOB is not secure enough, everyone knows my DOB

thats it, i want facial recognitions and fingerprint scans in ps4

Zeouterlimits · (05-18-2011, 12:30 PM)

Surprising and annoying that this hole a) existed b) was not discovered in their post-fall security review.

Kudos to Nyleveia though, for finding it and informing Sony.

Metalmurphy · (05-18-2011, 12:30 PM)

Originally Posted by Jarmel:

Lol so do you even know the password to your own account?

Yes, the password comes listed on the email (its the red box on the pictures), the problem is, once they have the password they can change the login address, and after that you lose your account.

CrushDance · (05-18-2011, 12:30 PM)

Finding it rather hard to respect Sony these days :/

alr1ght · (05-18-2011, 12:30 PM)

un-fucking-believable

strem · (05-18-2011, 12:31 PM)

When will the national nightmare end???????

Night_Trekker · (05-18-2011, 12:31 PM)

Of course they're going to lie about it. The PSN hack has already hurt them in terms of PR.

Dragon · (05-18-2011, 12:32 PM)

Originally Posted by Metalmurphy:

Yes, the password comes listed on the email (its the red box on the pictures), the problem is, once they have the password they can change the login address, and after that you lose your account.

Wait a second...they mail you the password? Uh, they should be encrypting it and storing it in the database so it cannot be unencrypted. They're really not storing the password in plaintext...right?

Raide · (05-18-2011, 12:32 PM)

Yikes, one mess after another. So what are the chances of all those that changed their PSN Passwords, having to re-do it again?

gl0w · (05-18-2011, 12:34 PM)

wow...

mrklaw · (05-18-2011, 12:34 PM)

Originally Posted by TheBranca18:

Wait a second...they mail you the password? Uh, they should be encrypting it and storing it in the database so it cannot be unencrypted. They're really not storing the password in plaintext...right?

I think they post it on their twitter feed so you can be notified easily.

Metalmurphy · (05-18-2011, 12:34 PM)

Originally Posted by TheBranca18:

Wait a second...they mail you the password? Uh, they should be encrypting it and storing it in the database so it cannot be unencrypted. They're really not storing the password in plaintext...right?

What makes you think they are? It's normal for you to get the password sent to you by email when your doing the recovery process. It doesn't mean that it's saved on the servers in plain text. We already know they hash the passwords.

panda21 · (05-18-2011, 12:34 PM)

unbelievable. there is literally nothing they could do to make me trust them again at this point.

Raide · (05-18-2011, 12:35 PM)

Originally Posted by panda21:

unbelievable. there is literally nothing they could do to make me trust them again at this point.

Moar free stuffs!

mrklaw · (05-18-2011, 12:35 PM)

Originally Posted by Metalmurphy:

What makes you think they are? It's normal for you to get the password sent to you by email when your doing the recovery process. It doesn't mean that it's saved on the servers in plain text. We already know they hash the passwords.

we already know they've made a hash of the passwords.

TheOddOne · (05-18-2011, 12:36 PM)

This can't be that easy, can it? Thats unbelievable.

daffy · 12:41 PM

edit: nvm, done with psn threads :P

Combichristoffersen · (05-18-2011, 12:37 PM)

Sony's network security - the gift that keeps on giving away your personal information

CadetMahoney · (05-18-2011, 12:37 PM)

thread needs some corporate love.

kamorra · (05-18-2011, 12:38 PM)

Originally Posted by CadetMahoney:

thread needs some corporate love.

Awesome job Sony!

toythatkills · (05-18-2011, 12:39 PM)

Originally Posted by Metalmurphy:

What makes you think they are? It's normal for you to get the password sent to you by email when your doing the recovery process. It doesn't mean that it's saved on the servers in plain text. We already know they hash the passwords.

No it's not. Did this person that "hacked" your account have your email address? Is there a chance that these are just spoofed emails and this is a massive wind-up?

herod · (05-18-2011, 12:40 PM)

I don't know the details but I guess that the confirmation url is embedded in the webpage somehow. Just URL manipulation to 'force' the confirmation?

Akkad · (05-18-2011, 12:40 PM)

So the OP can't access his account now?

Curufinwe · (05-18-2011, 12:40 PM)

Originally Posted by CadetMahoney:

thread needs some corporate love.

Thread needs more love for MetalMurphy having the guts to send his details to the guy on Twitter and proving the story was true.

lawblob · (05-18-2011, 12:41 PM)

Originally Posted by panda21:

unbelievable. there is literally nothing they could do to make me trust them again at this point.

Can I interest you in a free Syphon Filter PSP download?

Ehhhh??

Tntnnbltn · (05-18-2011, 12:42 PM)

Originally Posted by toythatkills:

No it's not. Did this person that "hacked" your account have your email address? Is there a chance that these are just spoofed emails and this is a massive wind-up?

To do the hack the person needs to know your log-in email and your full D.O.B.

As for proving it wasn't a massive wind-up, don't you think Metal Murphy would have tried to log into his PSN account afterwards to check?

Zoe · (05-18-2011, 12:42 PM)

Originally Posted by TheBranca18:

Wait a second...they mail you the password? Uh, they should be encrypting it and storing it in the database so it cannot be unencrypted. They're really not storing the password in plaintext...right?

They mail you a temporary password that expires within 24 hours. Just like many other services.

LiquidMetal14 · (05-18-2011, 12:42 PM)

Hmmmmm....

Bakc to the Witcher 2 then :P

Kafel · (05-18-2011, 12:42 PM)

Australian and Japan's gov were right.

Metalmurphy · (05-18-2011, 12:43 PM)

Originally Posted by toythatkills:

No it's not. Did this person that "hacked" your account have your email address? Is there a chance that these are just spoofed emails and this is a massive wind-up?

He had both my email address (not the password) and my Date of Birth cause I gave him to see if this was real or not.

And no the emails aren't spoofed.

Quote:

Delivered-To: ut3modsps3@gmail.com
Received: by 10.101.161.8 with SMTP id n8cs99097ano;
Wed, 18 May 2011 02:43:45 -0700 (PDT)
Received: by 10.68.66.8 with SMTP id b8mr2517501pbt.425.1305711824553;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Return-Path: <DoNotReply@ac.playstation.net>
Received: from lvp-sys-prdmx03.sonynei.net (mx3.sonynei.net [173.230.215.35])
by mx.google.com with ESMTP id x9si4116720pbj.255.2011.05.18.02.43.44;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) client-ip=173.230.215.35;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) smtp.mail=DoNotReply@ac.playstation.net
Received: from lvp-p1-npmailt01.sonynei.net (unknown [10.238.58.8])
by lvp-sys-prdmx03.sonynei.net (Postfix) with ESMTP id 2C527BDE2467
for <UT3MODSPS3@gmail.com>; Wed, 18 May 2011 02:28:51 -0700 (PDT)
Date: Wed, 18 May 2011 02:28:51 -0700 (PDT)
From: DoNotReply@ac.playstation.net
To: UT3MODSPS3@gmail.com
Message-ID: <2119057556.2606738.1305710931181.JavaMail.tomcat@lvp-p1-npmailt01.sonynei.net>
Subject: =?ISO-2022-JP?B?W1BsYXlTdGF0aW9uKFIpTmV0?=
=?ISO-2022-JP?B?d29ya10gGyRCJVElOSVvITwlSUpROTkkTiQqQ04kaSQ7GyhC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit

Akkad · (05-18-2011, 12:44 PM)

Originally Posted by Tntnnbltn:

To do the hack the person needs to know your log-in email and your full D.O.B.

As for proving it wasn't a massive wind-up, don't you think Metal Murphy would have tried to log into his PSN account afterwards to check?

Well, the OP doesn't say if he did or not.

toythatkills · (05-18-2011, 12:44 PM)

Originally Posted by Tntnnbltn:

As for proving it wasn't a massive wind-up, don't you think Metal Murphy would have tried to log into his PSN account afterwards to check?

I don't know, he never specified.

I'm certainly dubious if the hacker had his email, though.

mrklaw · (05-18-2011, 12:44 PM)

don't really give a shit about passwords being lost/compromised as long as I get on there and wipe off any credit card info. PSN cards only

WhatRobEats · (05-18-2011, 12:45 PM)

For.Fucks.Sake.

How embarrassing.

gcubed · (05-18-2011, 12:45 PM)

Originally Posted by toythatkills:

No it's not. Did this person that "hacked" your account have your email address? Is there a chance that these are just spoofed emails and this is a massive wind-up?

i'm assuming metalmurphy tried to then log in to his account with that password and it worked, so i have no reason not to believe him

Defuser · (05-18-2011, 12:46 PM)

Lets see how Stringer defend this!

Metalmurphy · (05-18-2011, 12:46 PM)

Originally Posted by Akkad:

So the OP can't access his account now?

The guy doing this isn't doing it for bad reasons, but for good ones. He has no interest in my account and I will have access to it once the website goes up again.

[Nintex] · (05-18-2011, 12:47 PM)

Originally Posted by Defuser:

Lets see how Stringer defend this!

"When you lose your keys you're not going to change the locks"

kurtrussell · (05-18-2011, 12:47 PM)

News at ten: Sony notify PSN users that their date of birth information has been breached. PSN taken down immediately - ETA "in a couple of days" - when it's back up, upon logging in, sony will require all users to change their date of birth before accessing PSN.

Also - due to "security reasons" the "feature" of having a choice of input will be removed, as this was never explicitly promised when users purchased the ps3. Instead, everyone will share one big PSN account which will consist of two buttons, one that can be clicked to download Little Big Planet and another that can be clicked to listen to a selected Sony/BMG artist*.

*Artists subject to change and rootkit installation. Limited to one play on one machine for the lifetime of offer.

Cdammen · (05-18-2011, 12:47 PM)

Hohohohoooly shit! This is funny.

Metalmurphy · (05-18-2011, 12:48 PM)

Originally Posted by gcubed:

i'm assuming metalmurphy tried to then log in to his account with that password and it worked, so i have no reason not to believe him

Actually no I didn't. The websites were already down when I woke up and saw the emails. But the emails are indeed real and came from Sony servers. They are both "asking for confirmation" and a "final confirmation" email, so the password was indeed changed.

Originally Posted by kurtrussell:

News at ten: Sony notify PSN users that their date of birth information has been breached. PSN taken down immediately - ETA "in a couple of days" - when it's back up, upon logging in, sony will require all users to change their date of birth before accessing PSN.

DoB wasn't breached, to be clear for this to happen they would have had to gotten your PSN email address and DoB from somewhere else. In this case, I told them.

toythatkills · (05-18-2011, 12:50 PM)

Originally Posted by Metalmurphy:

Actually no I didn't. The websites were already down when I woke up and saw the emails. But the emails are indeed real and came from Sony servers. They are both "asking for confirmation" and a "final confirmation" email, so the password was indeed changed.

You don't think these accusations are all a bit premature if you don't even know whether your password's been changed?

zomgbbqftw · (05-18-2011, 12:50 PM)

At least they fixed it before it started getting out of hand...

Still shit though.

lowrider007 · (05-18-2011, 12:50 PM)

Originally Posted by toythatkills:

You don't think this is all a bit premature if you don't even know whether your password's been changed?

They are official emails from Sony, what more do you need?

Azih · (05-18-2011, 12:51 PM)

But I didn't get my password mailed to me in text in the confirmation emails. Is there something different in the Japanese and North American password change systems?

Metalmurphy · (05-18-2011, 12:51 PM)

Originally Posted by toythatkills:

You don't think this is all a bit premature if you don't even know whether your password's been changed?

How is it premature I got an email, from Sony, telling me my password was changed after I gave my info, don't think you need more confirmation then that.

And Sony took the password recovery page down afterwards.