• Register
  • TOS
  • Privacy
  • @NeoGAF

Metalmurphy
Banned
(05-18-2011, 02:25 PM)
Metalmurphy's Avatar
This is a continuation on this story:
http://www.neogaf.com/forum/showthread.php?t=430519

First, to avoid unnecessary panic, let me just say that Sony already took the page down, and are most likely fixing it, and if you were a victim of this, you would get an email warning someone had changed your password, so if you didn't, you're safe.


Now to the whole story:
This guy on twitter ( http://twitter.com/#!/Nyleveia ) was claiming there was an exploit on the password recovery page that allowed anyone with a matching PSN login address and Date of Birth could change your password without you confirming it. Personally I didn't believe him so I gave him my login and dob. He didn't reply for a long time so I went to sleep. This morning however I got these 2 emails.




Sender details

Delivered-To: ut3modsps3@gmail.com
Received: by 10.101.161.8 with SMTP id n8cs99097ano;
Wed, 18 May 2011 02:43:45 -0700 (PDT)
Received: by 10.68.66.8 with SMTP id b8mr2517501pbt.425.1305711824553;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Return-Path: <DoNotReply@ac.playstation.net>
Received: from lvp-sys-prdmx03.sonynei.net (mx3.sonynei.net [173.230.215.35])
by mx.google.com with ESMTP id x9si4116720pbj.255.2011.05.18.02.43.44;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) client-ip=173.230.215.35;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) smtp.mail=DoNotReply@ac.playstation.net
Received: from lvp-p1-npmailt01.sonynei.net (unknown [10.238.58.8])
by lvp-sys-prdmx03.sonynei.net (Postfix) with ESMTP id 2C527BDE2467
for <UT3MODSPS3@gmail.com>; Wed, 18 May 2011 02:28:51 -0700 (PDT)
Date: Wed, 18 May 2011 02:28:51 -0700 (PDT)
From: DoNotReply@ac.playstation.net
To: UT3MODSPS3@gmail.com
Message-ID: <2119057556.2606738.1305710931181.JavaMail.tomcat@lvp-p1-npmailt01.sonynei.net>
Subject: =?ISO-2022-JP?B?W1BsYXlTdGF0aW9uKFIpTmV0?=
=?ISO-2022-JP?B?d29ya10gGyRCJVElOSVvITwlSUpROTkkTiQqQ04kaSQ7GyhC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit

The first one is saying that someone had requested to change my password, and that I needed to click the confirmation link to continue. All normal for now, supposedly only people with access to the login address can change it then. HOWEVER the second email is a confirmation that the password was changed and I never clicked the confirmation link... So yeah... my password was successfully changed by someone else.


And where the story gets even more interesting is that Sony are just lying about it. This is their latest tweets.

"Clarification: this maintenance doesn't affect PSN on consoles, only the website you click through to from the password change email."
"Fortunately we have got ISPs to release outstanding emails; unfortunately, a small amount of maintenance is required to improve this process"

Improve email process my ass. They took the password recovery page down because of this problem. Nyleveia warned about it, as confirmed by the latest tweet:

"@PlayStationEU - Thank you for the speedy response guys"

(the tweets warning about the exploit were removed, most likely cause Sony asked him to)

And now they're fixing the problem.



Honestly, I was never bothered by the original hack, no network is secure and I think Sony wasn't to blame and that they handled the entire thing by the book and quite well. This however... this is 100% on them, and what bothers me the most is that they're lying about it.
Last edited by Metalmurphy; 05-18-2011 at 02:52 PM. Reason: typos
Jarmel
place a shoe on my head
to reduce lag compensation
(05-18-2011, 02:28 PM)
Jarmel's Avatar
Lol so do you even know the password to your own account?
Square Triangle
Kratos can kill Zeus
but not Pam Anderson?
(05-18-2011, 02:28 PM)
Square Triangle's Avatar
Sony just keeps on surprising us!
Barrett2
Member
(05-18-2011, 02:29 PM)
Here we go again!

Buckle up!
iNvid02
Member
(05-18-2011, 02:30 PM)
iNvid02's Avatar
just a DOB is not secure enough, everyone knows my DOB

thats it, i want facial recognitions and fingerprint scans in ps4
Zeouterlimits
Member
(05-18-2011, 02:30 PM)
Zeouterlimits's Avatar
Surprising and annoying that this hole a) existed b) was not discovered in their post-fall security review.

Kudos to Nyleveia though, for finding it and informing Sony.
Metalmurphy
Banned
(05-18-2011, 02:30 PM)
Metalmurphy's Avatar

Originally Posted by Jarmel

Lol so do you even know the password to your own account?

Yes, the password comes listed on the email (its the red box on the pictures), the problem is, once they have the password they can change the login address, and after that you lose your account.
CrushDance
This sh!t needs to stop?
(05-18-2011, 02:30 PM)
Finding it rather hard to respect Sony these days :/
alr1ght
bish gets all the credit :)
(05-18-2011, 02:30 PM)
alr1ght's Avatar
un-fucking-believable
strem
Member
(05-18-2011, 02:31 PM)
When will the national nightmare end???????
Night_Trekker
Member
(05-18-2011, 02:31 PM)
Night_Trekker's Avatar
Of course they're going to lie about it. The PSN hack has already hurt them in terms of PR.
Dragon
Member
(05-18-2011, 02:32 PM)
Dragon's Avatar

Originally Posted by Metalmurphy

Yes, the password comes listed on the email (its the red box on the pictures), the problem is, once they have the password they can change the login address, and after that you lose your account.

Wait a second...they mail you the password? Uh, they should be encrypting it and storing it in the database so it cannot be unencrypted. They're really not storing the password in plaintext...right?
Raide
Member
(05-18-2011, 02:32 PM)
Raide's Avatar
Yikes, one mess after another. So what are the chances of all those that changed their PSN Passwords, having to re-do it again?
gl0w
Member
(05-18-2011, 02:34 PM)
gl0w's Avatar
wow...
mrklaw
MrArseFace
(05-18-2011, 02:34 PM)
mrklaw's Avatar

Originally Posted by TheBranca18

Wait a second...they mail you the password? Uh, they should be encrypting it and storing it in the database so it cannot be unencrypted. They're really not storing the password in plaintext...right?


I think they post it on their twitter feed so you can be notified easily.
Metalmurphy
Banned
(05-18-2011, 02:34 PM)
Metalmurphy's Avatar

Originally Posted by TheBranca18

Wait a second...they mail you the password? Uh, they should be encrypting it and storing it in the database so it cannot be unencrypted. They're really not storing the password in plaintext...right?

What makes you think they are? It's normal for you to get the password sent to you by email when your doing the recovery process. It doesn't mean that it's saved on the servers in plain text. We already know they hash the passwords.
panda21
Member
(05-18-2011, 02:34 PM)
panda21's Avatar
unbelievable. there is literally nothing they could do to make me trust them again at this point.
Raide
Member
(05-18-2011, 02:35 PM)
Raide's Avatar

Originally Posted by panda21

unbelievable. there is literally nothing they could do to make me trust them again at this point.

Moar free stuffs!
mrklaw
MrArseFace
(05-18-2011, 02:35 PM)
mrklaw's Avatar

Originally Posted by Metalmurphy

What makes you think they are? It's normal for you to get the password sent to you by email when your doing the recovery process. It doesn't mean that it's saved on the servers in plain text. We already know they hash the passwords.

we already know they've made a hash of the passwords.
TheOddOne
Member
(05-18-2011, 02:36 PM)
TheOddOne's Avatar
This can't be that easy, can it? Thats unbelievable.
daffy
Member
(05-18-2011, 02:37 PM)
daffy's Avatar
edit: nvm, done with psn threads :P
Last edited by daffy; 05-18-2011 at 02:41 PM.
Combichristoffersen
Combovers don't work when there is no hair
(05-18-2011, 02:37 PM)
Combichristoffersen's Avatar
Sony's network security - the gift that keeps on giving away your personal information
CadetMahoney
Member
(05-18-2011, 02:37 PM)
CadetMahoney's Avatar
thread needs some corporate love.
kamorra
Fuck Cancer
(05-18-2011, 02:38 PM)
kamorra's Avatar

Originally Posted by CadetMahoney

thread needs some corporate love.

Awesome job Sony!
toythatkills
(05-18-2011, 02:39 PM)
toythatkills's Avatar

Originally Posted by Metalmurphy

What makes you think they are? It's normal for you to get the password sent to you by email when your doing the recovery process. It doesn't mean that it's saved on the servers in plain text. We already know they hash the passwords.

No it's not. Did this person that "hacked" your account have your email address? Is there a chance that these are just spoofed emails and this is a massive wind-up?
herod
Member
(05-18-2011, 02:40 PM)
herod's Avatar
I don't know the details but I guess that the confirmation url is embedded in the webpage somehow. Just URL manipulation to 'force' the confirmation?
Akkad
Banned
(05-18-2011, 02:40 PM)
Akkad's Avatar
So the OP can't access his account now?
Curufinwe
Member
(05-18-2011, 02:40 PM)
Curufinwe's Avatar

Originally Posted by CadetMahoney

thread needs some corporate love.

Thread needs more love for MetalMurphy having the guts to send his details to the guy on Twitter and proving the story was true.
Barrett2
Member
(05-18-2011, 02:41 PM)

Originally Posted by panda21

unbelievable. there is literally nothing they could do to make me trust them again at this point.

Can I interest you in a free Syphon Filter PSP download?

Ehhhh??
Tntnnbltn
Member
(05-18-2011, 02:42 PM)
Tntnnbltn's Avatar

Originally Posted by toythatkills

No it's not. Did this person that "hacked" your account have your email address? Is there a chance that these are just spoofed emails and this is a massive wind-up?

To do the hack the person needs to know your log-in email and your full D.O.B.

As for proving it wasn't a massive wind-up, don't you think Metal Murphy would have tried to log into his PSN account afterwards to check?
Zoe
(05-18-2011, 02:42 PM)
Zoe's Avatar

Originally Posted by TheBranca18

Wait a second...they mail you the password? Uh, they should be encrypting it and storing it in the database so it cannot be unencrypted. They're really not storing the password in plaintext...right?

They mail you a temporary password that expires within 24 hours. Just like many other services.
LiquidMetal14
hide your water-based mammals
(05-18-2011, 02:42 PM)
LiquidMetal14's Avatar
Hmmmmm....

Bakc to the Witcher 2 then :P
Kafel
Banned
(05-18-2011, 02:42 PM)
Kafel's Avatar
Australian and Japan's gov were right.
Metalmurphy
Banned
(05-18-2011, 02:43 PM)
Metalmurphy's Avatar

Originally Posted by toythatkills

No it's not. Did this person that "hacked" your account have your email address? Is there a chance that these are just spoofed emails and this is a massive wind-up?

He had both my email address (not the password) and my Date of Birth cause I gave him to see if this was real or not.

And no the emails aren't spoofed.

Delivered-To: ut3modsps3@gmail.com
Received: by 10.101.161.8 with SMTP id n8cs99097ano;
Wed, 18 May 2011 02:43:45 -0700 (PDT)
Received: by 10.68.66.8 with SMTP id b8mr2517501pbt.425.1305711824553;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Return-Path: <DoNotReply@ac.playstation.net>
Received: from lvp-sys-prdmx03.sonynei.net (mx3.sonynei.net [173.230.215.35])
by mx.google.com with ESMTP id x9si4116720pbj.255.2011.05.18.02.43.44;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) client-ip=173.230.215.35;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) smtp.mail=DoNotReply@ac.playstation.net
Received: from lvp-p1-npmailt01.sonynei.net (unknown [10.238.58.8])
by lvp-sys-prdmx03.sonynei.net (Postfix) with ESMTP id 2C527BDE2467
for <UT3MODSPS3@gmail.com>; Wed, 18 May 2011 02:28:51 -0700 (PDT)
Date: Wed, 18 May 2011 02:28:51 -0700 (PDT)
From: DoNotReply@ac.playstation.net
To: UT3MODSPS3@gmail.com
Message-ID: <2119057556.2606738.1305710931181.JavaMail.tomcat@lvp-p1-npmailt01.sonynei.net>
Subject: =?ISO-2022-JP?B?W1BsYXlTdGF0aW9uKFIpTmV0?=
=?ISO-2022-JP?B?d29ya10gGyRCJVElOSVvITwlSUpROTkkTiQqQ04kaSQ7GyhC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit

Akkad
Banned
(05-18-2011, 02:44 PM)
Akkad's Avatar

Originally Posted by Tntnnbltn

To do the hack the person needs to know your log-in email and your full D.O.B.

As for proving it wasn't a massive wind-up, don't you think Metal Murphy would have tried to log into his PSN account afterwards to check?

Well, the OP doesn't say if he did or not.
toythatkills
(05-18-2011, 02:44 PM)
toythatkills's Avatar

Originally Posted by Tntnnbltn

As for proving it wasn't a massive wind-up, don't you think Metal Murphy would have tried to log into his PSN account afterwards to check?

I don't know, he never specified.

I'm certainly dubious if the hacker had his email, though.
mrklaw
MrArseFace
(05-18-2011, 02:44 PM)
mrklaw's Avatar
don't really give a shit about passwords being lost/compromised as long as I get on there and wipe off any credit card info. PSN cards only
WhatRobEats
Member
(05-18-2011, 02:45 PM)
WhatRobEats's Avatar
For.Fucks.Sake.


How embarrassing.
gcubed
Member
(05-18-2011, 02:45 PM)
gcubed's Avatar

Originally Posted by toythatkills

No it's not. Did this person that "hacked" your account have your email address? Is there a chance that these are just spoofed emails and this is a massive wind-up?

i'm assuming metalmurphy tried to then log in to his account with that password and it worked, so i have no reason not to believe him
Defuser
Member
(05-18-2011, 02:46 PM)
Defuser's Avatar
Lets see how Stringer defend this!
Metalmurphy
Banned
(05-18-2011, 02:46 PM)
Metalmurphy's Avatar

Originally Posted by Akkad

So the OP can't access his account now?

The guy doing this isn't doing it for bad reasons, but for good ones. He has no interest in my account and I will have access to it once the website goes up again.
[Nintex]
Banned
(05-18-2011, 02:47 PM)
[Nintex]'s Avatar

Originally Posted by Defuser

Lets see how Stringer defend this!

"When you lose your keys you're not going to change the locks"
kurtrussell
Banned
(05-18-2011, 02:47 PM)
kurtrussell's Avatar
News at ten: Sony notify PSN users that their date of birth information has been breached. PSN taken down immediately - ETA "in a couple of days" - when it's back up, upon logging in, sony will require all users to change their date of birth before accessing PSN.

Also - due to "security reasons" the "feature" of having a choice of input will be removed, as this was never explicitly promised when users purchased the ps3. Instead, everyone will share one big PSN account which will consist of two buttons, one that can be clicked to download Little Big Planet and another that can be clicked to listen to a selected Sony/BMG artist*.

*Artists subject to change and rootkit installation. Limited to one play on one machine for the lifetime of offer.
Cdammen
Member
(05-18-2011, 02:47 PM)
Cdammen's Avatar
Hohohohoooly shit! This is funny.
Metalmurphy
Banned
(05-18-2011, 02:48 PM)
Metalmurphy's Avatar

Originally Posted by gcubed

i'm assuming metalmurphy tried to then log in to his account with that password and it worked, so i have no reason not to believe him

Actually no I didn't. The websites were already down when I woke up and saw the emails. But the emails are indeed real and came from Sony servers. They are both "asking for confirmation" and a "final confirmation" email, so the password was indeed changed.

Originally Posted by kurtrussell

News at ten: Sony notify PSN users that their date of birth information has been breached. PSN taken down immediately - ETA "in a couple of days" - when it's back up, upon logging in, sony will require all users to change their date of birth before accessing PSN.

DoB wasn't breached, to be clear for this to happen they would have had to gotten your PSN email address and DoB from somewhere else. In this case, I told them.
toythatkills
(05-18-2011, 02:50 PM)
toythatkills's Avatar

Originally Posted by Metalmurphy

Actually no I didn't. The websites were already down when I woke up and saw the emails. But the emails are indeed real and came from Sony servers. They are both "asking for confirmation" and a "final confirmation" email, so the password was indeed changed.

You don't think these accusations are all a bit premature if you don't even know whether your password's been changed?
zomgbbqftw
Pay attention.
(05-18-2011, 02:50 PM)
zomgbbqftw's Avatar
At least they fixed it before it started getting out of hand...

Still shit though.
lowrider007
Licorice-flavoured booze?
(05-18-2011, 02:50 PM)
lowrider007's Avatar

Originally Posted by toythatkills

You don't think this is all a bit premature if you don't even know whether your password's been changed?

They are official emails from Sony, what more do you need?
Azih
Member
(05-18-2011, 02:51 PM)
But I didn't get my password mailed to me in text in the confirmation emails. Is there something different in the Japanese and North American password change systems?
Metalmurphy
Banned
(05-18-2011, 02:51 PM)
Metalmurphy's Avatar

Originally Posted by toythatkills

You don't think this is all a bit premature if you don't even know whether your password's been changed?

How is it premature I got an email, from Sony, telling me my password was changed after I gave my info, don't think you need more confirmation then that.

And Sony took the password recovery page down afterwards.

Thread Tools