Support NeoGAF

[Rubenov]

Seems like Sony has go back to website security school :-/

 

[lowrider007]

http://sony.nyleveia.com/2011/05/17/warning-all-psn-users-your-accounts-are-still-not-safe/

"UPDATE 3: To clarify the situation, we had confirmed ourselves the method used last night, and contacted SCEE, SCEE have acted upon this information, we felt the information previously provided in our tweets and this article may have been a little too revealing to the vulnerability, thus we “dumbed down” the explanation of the security hole. We have provided SCEE with a detailed description of the security hole.
While it’s unclear at this time if they will actually patch the flaw while they have the system taken down, I can also confirm that the system went down approximately 15 minutes after I received a response from SCEE on the matter."

 

[toythatkills]

They are official emails from Sony, what more do you need?

Some actual proof that the account has been accessed?

 

[darkwing]

Sony is really doomed

 

[Hanmik]

Actually no I didn't. The websites were already down when I woke up and saw the emails. But the emails are indeed real and came from Sony servers. They are both "asking for confirmation" and a "final confirmation" email, so the password was indeed changed.



DoB wasn't breached, to be clear for this to happen they would have had to gotten your PSN email address and DoB from somewhere else. In this case, I told them.

but did you try to acces your (you can still do it) PSN account on your PS3..?

 

[gcubed]

But I didn't get my password mailed to me in text in the confirmation emails. Is there something different in the Japanese and North American password change systems?

a recovery or just a change?

 

[TTP]

How is it premature I got an email, from Sony, telling me my password was changed after I gave my info, don't think you need more confirmation then that.

And Sony took the password recovery page down afterwards.

Can't you log in from your PS3 to double check?

 

[kamorra]

Some actual proof that the account has been accessed?

Which you can't get. It's real.

 

[Metalmurphy]

Some actual proof that the account has been accessed?

How else would I have gotten those emails?

Can't you log in from your PS3 to double check?

Japanese account, servers are offline.

but did you try to acces your (you can still do it) PSN account on your PS3..?

^^^^^^

 

[Zoe]

http://sony.nyleveia.com/2011/05/17/warning-all-psn-users-your-accounts-are-still-not-safe/

"UPDATE 3: To clarify the situation, we had confirmed ourselves the method used last night, and contacted SCEE, SCEE have acted upon this information, we felt the information previously provided in our tweets and this article may have been a little too revealing to the vulnerability, thus we “dumbed down” the explanation of the security hole. We have provided SCEE with a detailed description of the security hole.
While it’s unclear at this time if they will actually patch the flaw while they have the system taken down, I can also confirm that the system went down approximately 15 minutes after I received a response from SCEE on the matter."

They really should have alerted Sony before posting the story. They originally gave vague instructions on how to do the exploit yourself.

 

[luxarific]

Fucking christ, Sony. Just hire Schneier or someone who actually knows something about security and fire the incompetents you apparently employ.

 

[Hanmik]

Japanese account, servers are offline.

I couldn´t even change the Password on my Japanese or my Hong Kong account.. so how did he do it..?

 

[toythatkills]

How else would I have gotten those emails?

I don't know. I'm not a hacker and I don't know how easy it would be to make an email appear to have come from somewhere else.

If it's literally, totally impossible, then fair enough. If there's any chance at all that it's possible then you're making some quite major accusations here which may not be based in truth.

 

[Combichristoffersen]

Seems like Sony has go back to website security school :-/

Burn PSN to the ground and start from scratch

 

[darkwing]

it seems he was able to change the PSN password through the us.playstation.com site?

 

[Ellis Kim]

Man... if this hits any sort of major news outlet later this morning? Jesus.

 

[Hanmik]

I don't know. I'm not a hacker and I don't know how easy it would be to make an email appear to have come from somewhere else.

If it's literally, totally impossible, then fair enough. If there's any chance at all that it's possible then you're making some quite major accusations here which may not be based in truth.

he is not making something up.. it was allready news yesterday..

http://gamerpunch.net/2011/05/18/so...ign-in-amidst-rumors-about-password-security/

I just want to know how he could change the password for a japanese account via the internet.. I tried and got the maintenance message everytime..

 

[Metalmurphy]

I don't know. I'm not a hacker and I don't know how easy it would be to make an email appear to have come from somewhere else.

If it's literally, totally impossible, then fair enough. If there's any chance at all that it's possible then you're making some quite major accusations here which may not be based in truth.

They can fake the address you see on the "sender" field, but they can't fake the actual sender once you see the message details, which I posted already. They came from Sony.

 

[kurtrussell]

Fucking christ, Sony. Just hire Schneier or someone who actually knows something about security and fire the incompetents you apparently employ.

Didn't Geohot ask them for a job a few months ago?

 

[Blimblim]

I don't know. I'm not a hacker and I don't know how easy it would be to make an email appear to have come from somewhere else.

If it's literally, totally impossible, then fair enough. If there's any chance at all that it's possible then you're making some quite major accusations here which may not be based in truth.

This part would be forgeable, but it would not be placed where it is in the headers of the mail.
Received: from lvp-sys-prdmx03.sonynei.net (mx3.sonynei.net [173.230.215.35])
by mx.google.com with ESMTP id x9si4116720pbj.255.2011.05.18.02.43.44;

Definitely not a fake.

 

[Metalmurphy]

he is not making something up.. it was allready news yesterday..

http://gamerpunch.net/2011/05/18/so...ign-in-amidst-rumors-about-password-security/

I just want to know how he could change the password for a japanese account via the internet.. I tried and got the maintenance message everytime..

Honestly I don't know. I don't even remember if I changed it my self back when PSN came online for the first time. But it's possible that this exploit also allowed them to skip some of those checks. Lets face it, all accounts are saved on the same place, independent of region.

And another thing, if it was fake, how would they even known it was a Japanese account? I never said it was anywhere.

 

[LiK]

Good to know they're fixing it. Geez, who's the genius behind their network and websites?

 

[VGChampion]

Didn't Geohot ask them for a job a few months ago?

Sony would be pretty stupid to hire Geohot. I know companies do this but it seems he pretty much started the whole mess indirectly.

 

[Tricky I Shadow]

 

[Zoe]

Good to know they're fixing it. Geez, who's the genius behind their network and websites?

The nature of this makes me wonder how secure other companies' reset functions are.

 

[luxarific]

Didn't Geohot ask them for a job a few months ago?

Yeah. Too bad he withdrew his "application" after they sued him. Thank goodness the Store isn't back up. This hack could have been much worse if hackers had changed passwords and then gotten access to accounts whose rightful owners had funded PSN wallets, like mine. (I used prepaid cards, but the money is still in there. At least it better be.)

 

[kamorra]

Sony would be pretty stupid to hire Geohot. I know companies do this but it seems he pretty much started the whole mess indirectly.

If he is responsible for indirectly starting all of it he would be the best man for the job.

 

[Loudninja]

They really should have alerted Sony before posting the story. They originally gave vague instructions on how to do the exploit yourself.

Yes all people doing now is giving more attention to it.

 

[smurfx]

i had originally used my gmail account to sign up to psn on my cousins ps3. i checked it the other day and it said that the password had been changed. thought it was strange that sony didn't require you to verify through email when changing the password.

 

[nofi]

he is not making something up.. it was allready news yesterday..

http://gamerpunch.net/2011/05/18/so...ign-in-amidst-rumors-about-password-security/

That only just went live after the other thread and the story on TSA.

 

[arnoldocastillo2003]

Yeah it happen to a co-worker of mine, someone else changed his password, he contacted SONY to see if they can reset his account.

 

[Zoe]

i had originally used my gmail account to sign up to psn on my cousins ps3. i checked it the other day and it said that the password had been changed. thought it was strange that sony didn't require you to verify through email when changing the password.

You're expected to only activate your account on PS3's that you have direct access to and that belong to people you trust.

Sucks for online game-sharers.

 

[The_Darkest_Red]

Yeah it happen to a co-worker of mine, someone else changed his password, he contacted SONY to see if they can reset his account.

Uh oh.

 

[strem]

I think it is time that the Japanese just forget that online services exist. For a country so tech savy they can't figure out this online stuff

 

[expy]

Least they don't prevent you from playing retail games with a firmware update.

Spoiler

hehe

 

[Enco]

Wow...

 

[Oni Jazar]

I remember this technique was posted in our megathread to reset the password sooner.

 

[Zoe]

Yes all people doing now is giving more attention to it.

It's important to disclose exploits that may have affected people, but you don't want to do that until the fix is rock solid and in place, and you definitely don't want to tell other people how to do it.

 

[V_Arnold]

Sony would be pretty stupid to hire Geohot. I know companies do this but it seems he pretty much started the whole mess indirectly.

Oh, I would hire Geohot if I were a Sony executive. Then I would make sure he gets his lunch, his lunch money and his credit card data stolen EVERY FUCKING DAY so he has to beg his coworkers for some food.

 

[Loudninja]

It's important to disclose exploits that may have affected people, but you don't want to do that until the fix is rock solid and in place, and you definitely don't want to tell other people how to do it.

Yep I agree, man some people harm more than they help lol.

 

[Hanmik]

That only just went live after the other thread and the story on TSA.

I meant to link to yesterdays News...

http://www.neogaf.com/forum/showpost.php?p=27889738&postcount=1873

you know... neogaf-> internet -> negoaf..

 

[TTP]

I remember this technique was posted in our megathread to reset the password sooner.

How did that work?

 

[XeroSauce]

i had originally used my gmail account to sign up to psn on my cousins ps3. i checked it the other day and it said that the password had been changed. thought it was strange that sony didn't require you to verify through email when changing the password.

So just quickly catching up on this thread...there was no verification needed at all? It just said your password was changed, have a nice day?

Do people not know basic security nowadays?

 

[TTP]

So just quickly catching up on this thread...there was no verification needed at all? It just said your password was changed, have a nice day?

Do people not know basic security nowadays?

There was a verification email, but he never clicked on the verification link and yet got the password change confirmation email afterwards.

I guess this "hack" somehow allows to intercept the confirmation email being sent to the user requesting a password reset, hence allowing someone else to confirm the password reset.

 

[lowrider007]

http://sony.nyleveia.com/2011/05/17/warning-all-psn-users-your-accounts-are-still-not-safe/

"UPDATE 4: Last update on the topic most likely, i notice a lot of people are saying that we should not have posted this information and simply contacted Sony, and you’re right in thinking this, however we contacted SCEE as soon as we had confirmed that the exploit was in fact real, the problem was that at the time there was a good 8-9 hour stretch where SCEE would not see our messages and given the rate at which the exploit method was spreading in the dark corners of the internet, we felt as though we needed to publicise the exploit advising users to change the emails used for their PSN accounts to secure them until Sony could patch the security hole.

Originally we posted rough details on how the exploit operated, to give further evidence to users that it was a valid reason for them to change their passwords, as with most news like this on the internet, people tend not to believe something until hoards of users have been affected, we posted an article on N4G advising PSN users to switch their email addresses which was promptly reported as spam/lame/fake by several users who refused to believe the news due to our site just being a small news outlet.

All along our main priority and focus has been to assist Sony and PSN users in keeping their accounts safe. If the current downtime for the web based forms results in the exploit being patched then our job is done and the potential thief of countless user accounts has been nipped in the bud as early as humanly possible.

Thank you to everyone that has taken our warnings seriously and acted upon it, and to SCEE for their swift response to the matter."

 

[Curufinwe]

I think it is time that the Japanese just forget that online services exist. For a country so tech savy they can't figure out this online stuff

Because only Japanese companies have ever been hacked or had their network security compromised?

 

[HaRyu]

It's important to disclose exploits that may have affected people, but you don't want to do that until the fix is rock solid and in place, and you definitely don't want to tell other people how to do it.

Yeah... when I saw the article about it, I actually tried to see if I could do the exploit w/ my own account.

Then I realized that if and when Sony fixes the exploit, they might come under the assumption that I was some hacker trying to break into my account, so I pretty much stopped after a few minutes of trying.

 

[TTP]

Yeah... when I saw the article about it, I actually tried to see if I could do the exploit w/ my own account.

Then I realized that if and when Sony fixes the exploit, they might come under the assumption that I was some hacker trying to break into my account, so I pretty much stopped after a few minutes of trying.

Can you elaborate a bit about the procedure without giving too much away? I'm just curious about it.

 

[Angst]

You're famous mm: http://www.eurogamer.net/articles/2011-05-18-sonys-psn-password-page-hacked

 

[Hanmik]

Can you elaborate a bit about the procedure without giving too much away? I'm just curious about it.

from yesterday...
http://www.neogaf.com/forum/showpost.php?p=27890083&postcount=1882