[gofreak]

Rather frightening that this could slip through (supposedly) multiple independent audits by external experts. I guess it goes to show that perfect processes don't exist.

I guess the only silver lining here is that the people who exposed the exploit appear to be white-hat, and I presume little if any damage was done as a result. Sony's under a microscope at the moment, but that's no bad thing for the longer term security of PSN.

[HaRyu]

Originally Posted by TTP:

Can you elaborate a bit about the procedure without giving too much away? I'm just curious about it.

The article didn't detail the procedure obviously, but they gave some hints.

Specifically, they posted a link about the reset token, then they followed it up w/ a line that more or less said "when this is used in conjunction w/ another address/link".

I figured if someone dicked around a bit on the website, one could accidentally stumble upon the correct procedure. Like I said, after a few minutes, I had a sudden feeling of "Oh shit, if Sony someone is able to trace this, I'm going to be locked out of my own PSN account", so I stopped at that point. :p

Oh and to clarify, I'm not a hacker-type of person. To me, this seems more on the levels of "any schmuck can probably figure this out". And hey, I have schmuck-level hacking skills, so I figured, what the hell.

[Oni Jazar]

Originally Posted by TTP:

How did that work?

I'm on my phone so I can't search but it involved changing the URL string.

[iapetus]

Originally Posted by V_Arnold:

Oh, I would hire Geohot if I were a Sony executive. Then I would make sure he gets his lunch, his lunch money and his credit card data stolen EVERY FUCKING DAY so he has to beg his coworkers for some food.

Except, of course, he wasn't stupid enough to open a PSN account, so he's actually safe from Sony's incompetence.

[TTP]

Originally Posted by Oni Jazar:

I'm on my phone so I can't search but it involved changing the URL string.

Gotcha. Thanks.

You too HaRyu. Ty :)

[mujun]

Originally Posted by expy:

Least they don't prevent you from playing retail games with a firmware update. hehe

I love the way that no matter how big Sony screw up you'd find a way to tell us that MS is worse.

[Hanmik]

Originally Posted by TTP:

Gotcha. Thanks. You too HaRyu. Ty :)

it was explained here yesterday:

http://www.neogaf.com/forum/showpost...postcount=1882

[Curufinwe]

Originally Posted by iapetus:

Except, of course, he wasn't stupid enough to open a PSN account, so he's actually safe from Sony's incompetence.

I thought it was still disputed whether the blickmanic PSN account belonged to him, and we never found out for sure because the case was settled.

[HaRyu]

Originally Posted by mujun:

I love the way that no matter how big Sony screw up you'd find a way to tell us that MS is worse.

And watch, he just jinxed us Sony owners... next firmware update, it borks everyone's machines.

*shakes fist* CURSE YOU EXPY!

[Metalmurphy]

One clarification, I think the red square isn't the new password. It might be the name on my accuont, it's just that when I created the account I probably used some random name that I don't remember and I thought it would have been the new password.

But there's a space in the middle, and PSN passwords don't allow spaces.

[Utako]

Sony this gen: 599 fucks up the ass

[Zoe]

Originally Posted by Metalmurphy:

One clarification, I think the red square isn't the new password. It might be the name on my accuont, it's just that when I created the account I probably used some random name that I don't remember and I thought it would have been the new password. But there's a space in the middle, and PSN passwords don't allow spaces.

Yes, that's your name + "sama"

[HaRyu]

Originally Posted by Utako:

Sony this gen: 599 fucks up the ass

299. :p

[EagleEyes]

Originally Posted by mujun:

I love the way that no matter how big Sony screw up you'd find a way to tell us that MS is worse.

Please don't give that poster any more attention. It's what he lives for apparently.

[mujun]

Originally Posted by Utako:

Sony this gen: 599 fucks up the ass

Ancient history. Let's leave it there.

[Fersis]

I know that you could bypass some of the password security by changing 'security' by 'reset' in an URL or something like that.
Thats how i had to reset my password.

I just had to put my Date of Birth and mail and BAM! New Password.

[FLEABttn]

Originally Posted by iapetus:

Except, of course, he wasn't stupid enough to open a PSN account, so he's actually safe from Sony's incompetence.

That was never proven in (the wood) court.

[test_account]

So this only potenially affected people who hadnt rested their password? What about those who had rest their password?

[brentech]

Originally Posted by Fersis:

I know that you could bypass some of the password security by changing 'security' by 'reset' in an URL or something like that. Thats how i had to reset my password. I just had to put my Date of Birth and mail and BAM! New Password.

Saw you post that as help in the prior thread. Didn't realize it actually bypassed security questions.

Next thing we'll find out is they didn't string-escape their input fields and people took over entire databases! lol

NOT SAYING IT HAPPENED, JUST A JOKE. =P

[Hanmik]

Originally Posted by test_account:

So this only potenially affected people who hadnt rested their password? What about those who had rest their password?

as far as I know, it only affected people who TOLD other people the email to their PSN account, and the Birthdate they used when they signed up for that PSN-account..

Because you needed those two things to do this "hack".. but maybe people are thinking that the "original psn hackers" have this info..

[Fersis]

Originally Posted by test_account:

So this only potenially affected people who hadnt rested their password? What about those who had rest their password?

If you reseted your password youre cool.
The thing was to make SONY to send you a 'password' reset email, then youll change some of the URL and bam!
If you have a new password they dont send you a mail with the URL.

At least thats how i think it works. ITS NOT A FACT KOTAKU!

Originally Posted by brentech:

Saw you post that as help in the prior thread. Didn't realize it actually bypassed security questions. Next thing we'll find out is they didn't string-escape their input fields and people took over entire databases! lol NOT SAYING IT HAPPENED, JUST A JOKE. =P

It was the only way to recover my account. There was no legit way for me since theres no PSN Store assigned to my country. LOL

[WhatRobEats]

Originally Posted by Fersis:

I know that you could bypass some of the password security by changing 'security' by 'reset' in an URL or something like that. Thats how i had to reset my password. I just had to put my Date of Birth and mail and BAM! New Password.

Fersis is the haxorz. Confirmed.

[Fersis]

Originally Posted by RbBrdMan:

Fersis is the haxorz. Confirmed.

Dear Kotaku: If youre going to quote me name me as : Sir. Fersis McFersiston
Thanks.

[Erebus]

Originally Posted by test_account:

So this only potenially affected people who hadnt rested their password? What about those who had rest their password?

It's irrelevant if you had reset your password or not. This exploit allows someone who knows your email and birth date to change your password without your consent.

[kurtrussell]

Originally Posted by expy:

Least they don't prevent you from playing retail games with a firmware update. hehe

Isn't that exactly what Sony did when they forced OtherOS owners to choose between a firmware update & new games or OtherOS?

[HaRyu]

Considering how we're on the 3rd page and all...

From what I gather, Sony was told, and they took the page that could have caused the exploit down to try and fix the issue, right?

So how is that, as the thread title implies, "Trying to hide it"?

[brentech]

Originally Posted by kurtrussell:

Isn't that exactly what Sony did when they forced OtherOS owners to choose between a firmware update & new games or OtherOS?

You're just a junior, don't bring that shit here. It won't end well.

Warning shots fired.

[Fersis]

Originally Posted by HaRyu:

Considering how we're on the 3rd page and all... From what I gather, Sony was told, and they took the page that could have caused the exploit down to try and fix the issue, right? So how is that, as the thread title implies, "Trying to hide it"?

SONY took down all the pages that could lead to the 'haxxz'
Theyre hiding it by not confirming that this is the reason why they took down the websites.

[Hanmik]

Originally Posted by HaRyu:

Considering how we're on the 3rd page and all... From what I gather, Sony was told, and they took the page that could have caused the exploit down to try and fix the issue, right? So how is that, as the thread title implies, "Trying to hide it"?

they are not telling us what they are doing.. only saying "maintenance"... does that sound familiar..? ;o)

[ghst]

Originally Posted by mujun:

Ancient history. Let's leave it there.

like ozymandias.

[user friendly]

Originally Posted by gofreak:

Rather frightening that this could slip through (supposedly) multiple independent audits by external experts. I guess it goes to show that perfect processes don't exist. I guess the only silver lining here is that the people who exposed the exploit appear to be white-hat, and I presume little if any damage was done as a result. Sony's under a microscope at the moment, but that's no bad thing for the longer term security of PSN.

Nylevia are good people. One of them (or some of them) do the Aniom themes for PS3.

[expy]

Originally Posted by kurtrussell:

Isn't that exactly what Sony did when they forced OtherOS owners to choose between a firmware update & new games or OtherOS?

No.

[Metalmurphy]

Originally Posted by HaRyu:

Considering how we're on the 3rd page and all... From what I gather, Sony was told, and they took the page that could have caused the exploit down to try and fix the issue, right? So how is that, as the thread title implies, "Trying to hide it"?

This is the explanation they gave for the site being down

"Fortunately we have got ISPs to release outstanding emails; unfortunately, a small amount of maintenance is required to improve this process"

[test_account]

Originally Posted by Hanmik:

as far as I know, it only affected people who TOLD other people the email to their PSN account, and the Birthdate they used when they signed up for that PSN-account.. Because you needed those two things to do this "hack".. but maybe people are thinking that the "original psn hackers" have this info..

Originally Posted by Fersis:

If you reseted your password youre cool. The thing was to make SONY to send you a 'password' reset email, then youll change some of the URL and bam! If you have a new password they dont send you a mail with the URL. At least thats how i think it works. ITS NOT A FACT KOTAKU!

Ok, thanks :) By the way, dose that mean that the password reset url had visible email and birthdate in it?

Also, is there a way to figure out which birthday you have registered on PSN? I checked my PSN email from when i registered my account, but it doesnt mention any birthdate there. Since i used fake name and adress, i'm pretty sure that i used a fake birthdate as well.


EDIT:

Originally Posted by DarkUSS:

It's irrelevant if you had reset your password or not. This exploit allows someone who knows your email and birth date to change your password without your consent.

Are you sure? Have someone tested this? I'm not that worried though, but i'm still wondering about it.

[Ellis Kim]

Seriously, no kidding. I'm really glad they were white hat.

Does anyone still use "hacker" and "cracker" to differentiate? Is that still a thing being pushed? I can never get myself to accept "cracker" as black hat, at least not with the racial nomenclature that its had slapped onto it.

[The Faceless Master]

it's a good thing NeoGAF isn't like so many forums out there that have a wealth of information displayed on user pages like birthdate and email...

so many other forums have all that stuff listed and have those 'HAPPY BIRTHDAY TO ____' things up etc...

[HaRyu]

Originally Posted by Fersis:

SONY took down all the pages that could lead to the 'haxxz' Theyre hiding it by not confirming that this is the reason why they took down the websites.

Doh... didn't catch the last part in the OP.

Never mind. :p

[TTP]

So I just applied for a password change on my US account, and since my PS3 is not active under that account I've got the confirmation link, which looks like this:

store.playstation.com/accounts/security/resetPassword.action?token=*

So I see the link in the OP has a slightly different URL.

It says
...reset/resetPassword.action...

instead of
...security/resetPassword.action...

Guess this is what Fersis was talking about.

I do wonder how one can get that URL and change it without having access to the recipient email.

[zomgbbqftw]

Originally Posted by kurtrussell:

Isn't that exactly what Sony did when they forced OtherOS owners to choose between a firmware update & new games or OtherOS?

This plus your avatar and junior status means you aren't going to last long here...

[Erebus]

Originally Posted by test_account:

EDIT: Are you sure? Have someone tested this? I'm not that worried though, but i'm still wondering about it.

That's how I understand it. Metalmurphy handed his login email and birth date to these people and his password on that specific PSN account was changed. He even received the automated email from Sony informing him about the password change.

[larvi]

Great, and the DoB was the one thing that it doesn't appear I can change in my profile. I changed my other personal information to bogus info but couldn't figure out how to change that. Does anyone know a way to do it?

[MarkMclovin]

Hold on. If you had to click on the link that was sent to your email - of which only you have access to - then how was that done?

Have I missed something here?

[Angry Fork]

Everything is exploitable. All the hackers are probably pooling their resources into finding every possible Sony one. I'm not surprised if they find more. If all these hackers put all their efforts into doing the same for Microsoft I bet they'd find exploits there as well.

[XiaNaphryz]

Originally Posted by test_account:

Are you sure? Have someone tested this? I'm not that worried though, but i'm still wondering about it.

Read through the thread man and get caught up! Only took me 5 min. ;P

[VibratingDonkey]

This is hardly encouraging... How did they not discover this exploit before some guy on the internet? Thank god it was a good guy.

Doubt I'll ever feel comfortable having personal information and software licenses linked to my PSN account.

[Metalmurphy]

Originally Posted by MarkMclovin:

Hold on. If you had to click on the link that was sent to your email - of which only you have access to - then how was that done? Have I missed something here?

That's the exploit. They managed to do it by manually changing the URL or something, without need to click the confirmation link that was only sent to the email.

[test_account]

Originally Posted by DarkUSS:

That's how I understand it. Metalmurphy handed his login email and birth date to these people and his password on that specific PSN account was changed. He even received the automated email from Sony informing him about the password change.

I see. If that is the case, then it is pretty crazy, being able to change anyone's PSN password just by using Sony's own website. It will probably not be a big problem in general since you need the date of birth info to be able to do it, and Sony will most likely fix it now, but still.

[The Faceless Master]

Originally Posted by Angry Fork:

Everything is exploitable. All the hackers are probably pooling their resources into finding every possible Sony one. I'm not surprised if they find more. If all these hackers put all their efforts into doing the same for Microsoft I bet they'd find exploits there as well.

yeah, i'm sure nobody is putting any effort into hacking microsoft's passport.net system that holds probably 500 million accounts for xbox live, windows live, hotmail, expedia, skydrive, etc... who would want that!?

[TTP]

Originally Posted by MarkMclovin:

Hold on. If you had to click on the link that was sent to your email - of which only you have access to - then how was that done? Have I missed something here?

Going by the identical time stamps of the two emails, I guess it was done "remotely" and perhaps automatically (that is, without the remote person actually getting the verification email).

[larvi]

Originally Posted by Angry Fork:

Everything is exploitable. All the hackers are probably pooling their resources into finding every possible Sony one. I'm not surprised if they find more. If all these hackers put all their efforts into doing the same for Microsoft I bet they'd find exploits there as well.

Microsoft has been a prime target for hackers for since back in the the MSDos days.