Metalmurphy
Member
This is a continuation on this story:
http://www.neogaf.com/forum/showthread.php?t=430519
First, to avoid unnecessary panic, let me just say that Sony already took the page down, and are most likely fixing it, and if you were a victim of this, you would get an email warning someone had changed your password, so if you didn't, you're safe.
Now to the whole story:
This guy on twitter ( http://twitter.com/#!/Nyleveia ) was claiming there was an exploit on the password recovery page that allowed anyone with a matching PSN login address and Date of Birth could change your password without you confirming it. Personally I didn't believe him so I gave him my login and dob. He didn't reply for a long time so I went to sleep. This morning however I got these 2 emails.
Sender details
The first one is saying that someone had requested to change my password, and that I needed to click the confirmation link to continue. All normal for now, supposedly only people with access to the login address can change it then. HOWEVER the second email is a confirmation that the password was changed and I never clicked the confirmation link... So yeah... my password was successfully changed by someone else.
And where the story gets even more interesting is that Sony are just lying about it. This is their latest tweets.
Improve email process my ass. They took the password recovery page down because of this problem. Nyleveia warned about it, as confirmed by the latest tweet:
And now they're fixing the problem.
Honestly, I was never bothered by the original hack, no network is secure and I think Sony wasn't to blame and that they handled the entire thing by the book and quite well. This however... this is 100% on them, and what bothers me the most is that they're lying about it.
http://www.neogaf.com/forum/showthread.php?t=430519
First, to avoid unnecessary panic, let me just say that Sony already took the page down, and are most likely fixing it, and if you were a victim of this, you would get an email warning someone had changed your password, so if you didn't, you're safe.
Now to the whole story:
This guy on twitter ( http://twitter.com/#!/Nyleveia ) was claiming there was an exploit on the password recovery page that allowed anyone with a matching PSN login address and Date of Birth could change your password without you confirming it. Personally I didn't believe him so I gave him my login and dob. He didn't reply for a long time so I went to sleep. This morning however I got these 2 emails.
Sender details
Delivered-To: ut3modsps3@gmail.com
Received: by 10.101.161.8 with SMTP id n8cs99097ano;
Wed, 18 May 2011 02:43:45 -0700 (PDT)
Received: by 10.68.66.8 with SMTP id b8mr2517501pbt.425.1305711824553;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Return-Path: <DoNotReply@ac.playstation.net>
Received: from lvp-sys-prdmx03.sonynei.net (mx3.sonynei.net [173.230.215.35])
by mx.google.com with ESMTP id x9si4116720pbj.255.2011.05.18.02.43.44;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) client-ip=173.230.215.35;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) smtp.mail=DoNotReply@ac.playstation.net
Received: from lvp-p1-npmailt01.sonynei.net (unknown [10.238.58.8])
by lvp-sys-prdmx03.sonynei.net (Postfix) with ESMTP id 2C527BDE2467
for <UT3MODSPS3@gmail.com>; Wed, 18 May 2011 02:28:51 -0700 (PDT)
Date: Wed, 18 May 2011 02:28:51 -0700 (PDT)
From: DoNotReply@ac.playstation.net
To: UT3MODSPS3@gmail.com
Message-ID: <2119057556.2606738.1305710931181.JavaMail.tomcat@lvp-p1-npmailt01.sonynei.net>
Subject: =?ISO-2022-JP?B?W1BsYXlTdGF0aW9uKFIpTmV0?=
=?ISO-2022-JP?B?d29ya10gGyRCJVElOSVvITwlSUpROTkkTiQqQ04kaSQ7GyhC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
The first one is saying that someone had requested to change my password, and that I needed to click the confirmation link to continue. All normal for now, supposedly only people with access to the login address can change it then. HOWEVER the second email is a confirmation that the password was changed and I never clicked the confirmation link... So yeah... my password was successfully changed by someone else.
And where the story gets even more interesting is that Sony are just lying about it. This is their latest tweets.
"Clarification: this maintenance doesn't affect PSN on consoles, only the website you click through to from the password change email."
"Fortunately we have got ISPs to release outstanding emails; unfortunately, a small amount of maintenance is required to improve this process"
Improve email process my ass. They took the password recovery page down because of this problem. Nyleveia warned about it, as confirmed by the latest tweet:
(the tweets warning about the exploit were removed, most likely cause Sony asked him to)"@PlayStationEU - Thank you for the speedy response guys"
And now they're fixing the problem.
Honestly, I was never bothered by the original hack, no network is secure and I think Sony wasn't to blame and that they handled the entire thing by the book and quite well. This however... this is 100% on them, and what bothers me the most is that they're lying about it.