• Register
  • TOS
  • Privacy
  • @NeoGAF

gofreak
GAF's Bob Woodward
(05-18-2011, 03:29 PM)
gofreak's Avatar
Rather frightening that this could slip through (supposedly) multiple independent audits by external experts. I guess it goes to show that perfect processes don't exist.

I guess the only silver lining here is that the people who exposed the exploit appear to be white-hat, and I presume little if any damage was done as a result. Sony's under a microscope at the moment, but that's no bad thing for the longer term security of PSN.
HaRyu
Member
(05-18-2011, 03:29 PM)
HaRyu's Avatar

Originally Posted by TTP

Can you elaborate a bit about the procedure without giving too much away? I'm just curious about it.

The article didn't detail the procedure obviously, but they gave some hints.

Specifically, they posted a link about the reset token, then they followed it up w/ a line that more or less said "when this is used in conjunction w/ another address/link".

I figured if someone dicked around a bit on the website, one could accidentally stumble upon the correct procedure. Like I said, after a few minutes, I had a sudden feeling of "Oh shit, if Sony someone is able to trace this, I'm going to be locked out of my own PSN account", so I stopped at that point. :p

Oh and to clarify, I'm not a hacker-type of person. To me, this seems more on the levels of "any schmuck can probably figure this out". And hey, I have schmuck-level hacking skills, so I figured, what the hell.
Oni Jazar
Member
(05-18-2011, 03:30 PM)
Oni Jazar's Avatar

Originally Posted by TTP

How did that work?

I'm on my phone so I can't search but it involved changing the URL string.
iapetus
Scary Euro Man
(05-18-2011, 03:32 PM)
iapetus's Avatar

Originally Posted by V_Arnold

Oh, I would hire Geohot if I were a Sony executive. Then I would make sure he gets his lunch, his lunch money and his credit card data stolen EVERY FUCKING DAY so he has to beg his coworkers for some food.

Except, of course, he wasn't stupid enough to open a PSN account, so he's actually safe from Sony's incompetence.
TTP
Have a fun! Enjoy!
(05-18-2011, 03:33 PM)
TTP's Avatar

Originally Posted by Oni Jazar

I'm on my phone so I can't search but it involved changing the URL string.

Gotcha. Thanks.

You too HaRyu. Ty :)
mujun
Member
(05-18-2011, 03:33 PM)
mujun's Avatar

Originally Posted by expy

Least they don't prevent you from playing retail games with a firmware update.

hehe

I love the way that no matter how big Sony screw up you'd find a way to tell us that MS is worse.
Hanmik
Member
(05-18-2011, 03:35 PM)
Hanmik's Avatar

Originally Posted by TTP

Gotcha. Thanks.

You too HaRyu. Ty :)

it was explained here yesterday:

http://www.neogaf.com/forum/showpost...postcount=1882
Curufinwe
Member
(05-18-2011, 03:36 PM)
Curufinwe's Avatar

Originally Posted by iapetus

Except, of course, he wasn't stupid enough to open a PSN account, so he's actually safe from Sony's incompetence.

I thought it was still disputed whether the blickmanic PSN account belonged to him, and we never found out for sure because the case was settled.
HaRyu
Member
(05-18-2011, 03:36 PM)
HaRyu's Avatar

Originally Posted by mujun

I love the way that no matter how big Sony screw up you'd find a way to tell us that MS is worse.

And watch, he just jinxed us Sony owners... next firmware update, it borks everyone's machines.

*shakes fist* CURSE YOU EXPY!
Metalmurphy
Banned
(05-18-2011, 03:36 PM)
Metalmurphy's Avatar
One clarification, I think the red square isn't the new password. It might be the name on my accuont, it's just that when I created the account I probably used some random name that I don't remember and I thought it would have been the new password.

But there's a space in the middle, and PSN passwords don't allow spaces.
Utako
Banned
(05-18-2011, 03:39 PM)
Sony this gen: 599 fucks up the ass
Zoe
(05-18-2011, 03:41 PM)
Zoe's Avatar

Originally Posted by Metalmurphy

One clarification, I think the red square isn't the new password. It might be the name on my accuont, it's just that when I created the account I probably used some random name that I don't remember and I thought it would have been the new password.

But there's a space in the middle, and PSN passwords don't allow spaces.

Yes, that's your name + "sama"
HaRyu
Member
(05-18-2011, 03:41 PM)
HaRyu's Avatar

Originally Posted by Utako

Sony this gen: 599 fucks up the ass

299. :p
EagleEyes
Member
(05-18-2011, 03:41 PM)
EagleEyes's Avatar

Originally Posted by mujun

I love the way that no matter how big Sony screw up you'd find a way to tell us that MS is worse.

Please don't give that poster any more attention. It's what he lives for apparently.
mujun
Member
(05-18-2011, 03:41 PM)
mujun's Avatar

Originally Posted by Utako

Sony this gen: 599 fucks up the ass

Ancient history. Let's leave it there.
Fersis
It is illegal to Tag Fish in Tag Fishing Sanctuaries by law 38.36 of the GAF Wildlife Act
(05-18-2011, 03:42 PM)
Fersis's Avatar
I know that you could bypass some of the password security by changing 'security' by 'reset' in an URL or something like that.
Thats how i had to reset my password.

I just had to put my Date of Birth and mail and BAM! New Password.
FLEABttn
needs to fix his kismet
(05-18-2011, 03:44 PM)
FLEABttn's Avatar

Originally Posted by iapetus

Except, of course, he wasn't stupid enough to open a PSN account, so he's actually safe from Sony's incompetence.

That was never proven in (the wood) court.
test_account
XP-39C
(05-18-2011, 03:45 PM)
test_account's Avatar
So this only potenially affected people who hadnt rested their password? What about those who had rest their password?
brentech
Member
(05-18-2011, 03:46 PM)
brentech's Avatar

Originally Posted by Fersis

I know that you could bypass some of the password security by changing 'security' by 'reset' in an URL or something like that.
Thats how i had to reset my password.

I just had to put my Date of Birth and mail and BAM! New Password.

Saw you post that as help in the prior thread. Didn't realize it actually bypassed security questions.

Next thing we'll find out is they didn't string-escape their input fields and people took over entire databases! lol

NOT SAYING IT HAPPENED, JUST A JOKE. =P
Hanmik
Member
(05-18-2011, 03:47 PM)
Hanmik's Avatar

Originally Posted by test_account

So this only potenially affected people who hadnt rested their password? What about those who had rest their password?

as far as I know, it only affected people who TOLD other people the email to their PSN account, and the Birthdate they used when they signed up for that PSN-account..

Because you needed those two things to do this "hack".. but maybe people are thinking that the "original psn hackers" have this info..
Fersis
It is illegal to Tag Fish in Tag Fishing Sanctuaries by law 38.36 of the GAF Wildlife Act
(05-18-2011, 03:47 PM)
Fersis's Avatar

Originally Posted by test_account

So this only potenially affected people who hadnt rested their password? What about those who had rest their password?

If you reseted your password youre cool.
The thing was to make SONY to send you a 'password' reset email, then youll change some of the URL and bam!
If you have a new password they dont send you a mail with the URL.

At least thats how i think it works. ITS NOT A FACT KOTAKU!

Originally Posted by brentech

Saw you post that as help in the prior thread. Didn't realize it actually bypassed security questions.

Next thing we'll find out is they didn't string-escape their input fields and people took over entire databases! lol

NOT SAYING IT HAPPENED, JUST A JOKE. =P

It was the only way to recover my account. There was no legit way for me since theres no PSN Store assigned to my country. LOL
WhatRobEats
Member
(05-18-2011, 03:48 PM)
WhatRobEats's Avatar

Originally Posted by Fersis

I know that you could bypass some of the password security by changing 'security' by 'reset' in an URL or something like that.
Thats how i had to reset my password.

I just had to put my Date of Birth and mail and BAM! New Password.

Fersis is the haxorz. Confirmed.
Fersis
It is illegal to Tag Fish in Tag Fishing Sanctuaries by law 38.36 of the GAF Wildlife Act
(05-18-2011, 03:50 PM)
Fersis's Avatar

Originally Posted by RbBrdMan

Fersis is the haxorz. Confirmed.

Dear Kotaku: If youre going to quote me name me as : Sir. Fersis McFersiston
Thanks.
Erebus
Member
(05-18-2011, 03:51 PM)
Erebus's Avatar

Originally Posted by test_account

So this only potenially affected people who hadnt rested their password? What about those who had rest their password?

It's irrelevant if you had reset your password or not. This exploit allows someone who knows your email and birth date to change your password without your consent.
kurtrussell
Banned
(05-18-2011, 03:51 PM)
kurtrussell's Avatar

Originally Posted by expy

Least they don't prevent you from playing retail games with a firmware update.

hehe

Isn't that exactly what Sony did when they forced OtherOS owners to choose between a firmware update & new games or OtherOS?
HaRyu
Member
(05-18-2011, 03:51 PM)
HaRyu's Avatar
Considering how we're on the 3rd page and all...

From what I gather, Sony was told, and they took the page that could have caused the exploit down to try and fix the issue, right?

So how is that, as the thread title implies, "Trying to hide it"?
brentech
Member
(05-18-2011, 03:52 PM)
brentech's Avatar

Originally Posted by kurtrussell

Isn't that exactly what Sony did when they forced OtherOS owners to choose between a firmware update & new games or OtherOS?

You're just a junior, don't bring that shit here. It won't end well.

Warning shots fired.
Fersis
It is illegal to Tag Fish in Tag Fishing Sanctuaries by law 38.36 of the GAF Wildlife Act
(05-18-2011, 03:52 PM)
Fersis's Avatar

Originally Posted by HaRyu

Considering how we're on the 3rd page and all...

From what I gather, Sony was told, and they took the page that could have caused the exploit down to try and fix the issue, right?

So how is that, as the thread title implies, "Trying to hide it"?

SONY took down all the pages that could lead to the 'haxxz'
Theyre hiding it by not confirming that this is the reason why they took down the websites.
Hanmik
Member
(05-18-2011, 03:53 PM)
Hanmik's Avatar

Originally Posted by HaRyu

Considering how we're on the 3rd page and all...

From what I gather, Sony was told, and they took the page that could have caused the exploit down to try and fix the issue, right?

So how is that, as the thread title implies, "Trying to hide it"?

they are not telling us what they are doing.. only saying "maintenance"... does that sound familiar..? ;o)
ghst
thanks for the laugh
(05-18-2011, 03:54 PM)
ghst's Avatar

Originally Posted by mujun

Ancient history. Let's leave it there.

like ozymandias.
user friendly
Member
(05-18-2011, 03:55 PM)
user friendly's Avatar

Originally Posted by gofreak

Rather frightening that this could slip through (supposedly) multiple independent audits by external experts. I guess it goes to show that perfect processes don't exist.

I guess the only silver lining here is that the people who exposed the exploit appear to be white-hat, and I presume little if any damage was done as a result. Sony's under a microscope at the moment, but that's no bad thing for the longer term security of PSN.

Nylevia are good people. One of them (or some of them) do the Aniom themes for PS3.
expy
Banned
(05-18-2011, 03:57 PM)
expy's Avatar

Originally Posted by kurtrussell

Isn't that exactly what Sony did when they forced OtherOS owners to choose between a firmware update & new games or OtherOS?

No.
Metalmurphy
Banned
(05-18-2011, 03:57 PM)
Metalmurphy's Avatar

Originally Posted by HaRyu

Considering how we're on the 3rd page and all...

From what I gather, Sony was told, and they took the page that could have caused the exploit down to try and fix the issue, right?

So how is that, as the thread title implies, "Trying to hide it"?

This is the explanation they gave for the site being down

"Fortunately we have got ISPs to release outstanding emails; unfortunately, a small amount of maintenance is required to improve this process"
test_account
XP-39C
(05-18-2011, 03:57 PM)
test_account's Avatar

Originally Posted by Hanmik

as far as I know, it only affected people who TOLD other people the email to their PSN account, and the Birthdate they used when they signed up for that PSN-account..

Because you needed those two things to do this "hack".. but maybe people are thinking that the "original psn hackers" have this info..

Originally Posted by Fersis

If you reseted your password youre cool.
The thing was to make SONY to send you a 'password' reset email, then youll change some of the URL and bam!
If you have a new password they dont send you a mail with the URL.

At least thats how i think it works. ITS NOT A FACT KOTAKU!

Ok, thanks :) By the way, dose that mean that the password reset url had visible email and birthdate in it?

Also, is there a way to figure out which birthday you have registered on PSN? I checked my PSN email from when i registered my account, but it doesnt mention any birthdate there. Since i used fake name and adress, i'm pretty sure that i used a fake birthdate as well.


EDIT:

Originally Posted by DarkUSS

It's irrelevant if you had reset your password or not. This exploit allows someone who knows your email and birth date to change your password without your consent.

Are you sure? Have someone tested this? I'm not that worried though, but i'm still wondering about it.
Ellis Kim
Banned
(05-18-2011, 04:00 PM)
Ellis Kim's Avatar
Seriously, no kidding. I'm really glad they were white hat.

Does anyone still use "hacker" and "cracker" to differentiate? Is that still a thing being pushed? I can never get myself to accept "cracker" as black hat, at least not with the racial nomenclature that its had slapped onto it.
The Faceless Master
(05-18-2011, 04:00 PM)
The Faceless Master's Avatar
it's a good thing NeoGAF isn't like so many forums out there that have a wealth of information displayed on user pages like birthdate and email...

so many other forums have all that stuff listed and have those 'HAPPY BIRTHDAY TO ____' things up etc...
HaRyu
Member
(05-18-2011, 04:00 PM)
HaRyu's Avatar

Originally Posted by Fersis

SONY took down all the pages that could lead to the 'haxxz'
Theyre hiding it by not confirming that this is the reason why they took down the websites.

Doh... didn't catch the last part in the OP.

Never mind. :p
TTP
Have a fun! Enjoy!
(05-18-2011, 04:00 PM)
TTP's Avatar
So I just applied for a password change on my US account, and since my PS3 is not active under that account I've got the confirmation link, which looks like this:

store.playstation.com/accounts/security/resetPassword.action?token=*

So I see the link in the OP has a slightly different URL.

It says
...reset/resetPassword.action...

instead of
...security/resetPassword.action...

Guess this is what Fersis was talking about.

I do wonder how one can get that URL and change it without having access to the recipient email.
Last edited by TTP; 05-18-2011 at 04:04 PM.
zomgbbqftw
Pay attention.
(05-18-2011, 04:02 PM)
zomgbbqftw's Avatar

Originally Posted by kurtrussell

Isn't that exactly what Sony did when they forced OtherOS owners to choose between a firmware update & new games or OtherOS?

This plus your avatar and junior status means you aren't going to last long here...
Erebus
Member
(05-18-2011, 04:05 PM)
Erebus's Avatar

Originally Posted by test_account



EDIT:


Are you sure? Have someone tested this? I'm not that worried though, but i'm still wondering about it.

That's how I understand it. Metalmurphy handed his login email and birth date to these people and his password on that specific PSN account was changed. He even received the automated email from Sony informing him about the password change.
larvi
Member
(05-18-2011, 04:09 PM)
Great, and the DoB was the one thing that it doesn't appear I can change in my profile. I changed my other personal information to bogus info but couldn't figure out how to change that. Does anyone know a way to do it?
MarkMclovin
Member
(05-18-2011, 04:14 PM)
MarkMclovin's Avatar
Hold on. If you had to click on the link that was sent to your email - of which only you have access to - then how was that done?

Have I missed something here?
Angry Fork
Spelling is Hard
(05-18-2011, 04:14 PM)
Angry Fork's Avatar
Everything is exploitable. All the hackers are probably pooling their resources into finding every possible Sony one. I'm not surprised if they find more. If all these hackers put all their efforts into doing the same for Microsoft I bet they'd find exploits there as well.
XiaNaphryz
LATIN, MATRIPEDICABUS, DO YOU SPEAK IT
(05-18-2011, 04:15 PM)
XiaNaphryz's Avatar

Originally Posted by test_account

Are you sure? Have someone tested this? I'm not that worried though, but i'm still wondering about it.

Read through the thread man and get caught up! Only took me 5 min. ;P
VibratingDonkey
Member
(05-18-2011, 04:15 PM)
VibratingDonkey's Avatar
This is hardly encouraging... How did they not discover this exploit before some guy on the internet? Thank god it was a good guy.

Doubt I'll ever feel comfortable having personal information and software licenses linked to my PSN account.
Metalmurphy
Banned
(05-18-2011, 04:16 PM)
Metalmurphy's Avatar

Originally Posted by MarkMclovin

Hold on. If you had to click on the link that was sent to your email - of which only you have access to - then how was that done?

Have I missed something here?

That's the exploit. They managed to do it by manually changing the URL or something, without need to click the confirmation link that was only sent to the email.
test_account
XP-39C
(05-18-2011, 04:16 PM)
test_account's Avatar

Originally Posted by DarkUSS

That's how I understand it. Metalmurphy handed his login email and birth date to these people and his password on that specific PSN account was changed. He even received the automated email from Sony informing him about the password change.

I see. If that is the case, then it is pretty crazy, being able to change anyone's PSN password just by using Sony's own website. It will probably not be a big problem in general since you need the date of birth info to be able to do it, and Sony will most likely fix it now, but still.
The Faceless Master
(05-18-2011, 04:17 PM)
The Faceless Master's Avatar

Originally Posted by Angry Fork

Everything is exploitable. All the hackers are probably pooling their resources into finding every possible Sony one. I'm not surprised if they find more. If all these hackers put all their efforts into doing the same for Microsoft I bet they'd find exploits there as well.

yeah, i'm sure nobody is putting any effort into hacking microsoft's passport.net system that holds probably 500 million accounts for xbox live, windows live, hotmail, expedia, skydrive, etc... who would want that!?
TTP
Have a fun! Enjoy!
(05-18-2011, 04:17 PM)
TTP's Avatar

Originally Posted by MarkMclovin

Hold on. If you had to click on the link that was sent to your email - of which only you have access to - then how was that done?

Have I missed something here?

Going by the identical time stamps of the two emails, I guess it was done "remotely" and perhaps automatically (that is, without the remote person actually getting the verification email).
larvi
Member
(05-18-2011, 04:17 PM)

Originally Posted by Angry Fork

Everything is exploitable. All the hackers are probably pooling their resources into finding every possible Sony one. I'm not surprised if they find more. If all these hackers put all their efforts into doing the same for Microsoft I bet they'd find exploits there as well.

Microsoft has been a prime target for hackers for since back in the the MSDos days.

Thread Tools