I'd like to see some proof about that.
so is this a Public service announcement that i shouldn't give my login credentials ( of any service you log into ) to hackers ( anyone), lest i'm at risk of tampering with my account?
Wow, thanks for the insight OP!
Just look at Miitomo - the reason for only being able to add by people around you or social networking is to prevent spammers and bots.
XSplit is being a jerk right now, but here. It works on cloud saves, too. I didn't capture the deletion screen because there isn't one/no prompt given, it just sends you back to the games list.
But yeah, while Nintendo does give you the regular login via e-mail as an option, it's a step in the right direction. Again, this is by no means a way for them to steal all your stuff, but is another way for someone malicious to do evil if they have your credentials.
No need to be rude.
It's a public service announcement that should your PSN credentials get stolen (not just limited to accounts with unauthorized charges where the user chooses to eat them in order to keep the account and not be banned), your friends list and saves can be deleted remotely.
As others have said, if you don't plan on using the remote feature, consider turning it off. Also a warning to keep your passwords up to date and consider using a password manager.
Seriously? This made Miitomo useless for me.
Right, if your account is compromised, the stuff on your console can be deleted. The issue is because the feature is enabled by default and as I stated in OP, didn't require any interaction on the console itself when I connected.Sodns more like FUD to me. Anything can be done, if your PSN/XBL/NN password is compromised, even without using remote play. I highly doubt anyone could delete anything via remote access, if they don't have the access to password.
I shouldn't have phrased it so factually, but I bet that's a big reason why an add by username was left out. The mobile market is plagued with bots on apps like kik, tinder, etc - it's no different from spam anywhere else. If people were getting random adds with spam URL's, this would poop up Miitomo pretty quick.
I suppose it just as easily could have been to encourage linking with social media to import friends quickly and seamlessly. Pretty much everyone has a facebook or twitter these days, anyway.
No need to be rude.
It's a public service announcement that should your PSN credentials get stolen (not just limited to accounts with unauthorized charges where the user chooses to eat them in order to keep the account and not be banned), your friends list and saves can be deleted remotely.
As others have said, if you don't plan on using the remote feature, consider turning it off. Also a warning to keep your passwords up to date and consider using a password manager.
What points would that be? I posted proof that you can delete local and cloud data using the app. I was able to turn my console on while in rest mode on my local network, so I can only assume it would work outside over WAN. Your friends list can be purged via the console, which cannot be done through the site. If you were compromised and this happened, there are things an intruder would be able to delete which cannot be recovered, even if you regain control of the account after the password was reset.and you have been factually wrong on many points.
It is a more likely scenario that a hacker will use the remote application rather than sign-in using their own PS4 because it's easier and faster and more secure for them.
Damn, that's brilliant.I'm guessing you can access the web browser using remote play, so if someone were remotely controlling the PS4 they now have access to all your internal web services (ie. your routers configuration page, which in the majority of cases is going to be set to the manufacturers default password).
Not if they wanted to screw with you before they sold or kept your account. The game saves are totally useless to them, as is the friends list. In fact, selling an account with people on the friends list would make it more obvious that it's a stolen account and probably be unwise for them if that was their intention.This is just not the case.
You know what a hacker would do if they had your information (which they did not get through remote play)? Log on through the Sony website.
No need to be rude.
It's a public service announcement that should your PSN credentials get stolen (not just limited to accounts with unauthorized charges where the user chooses to eat them in order to keep the account and not be banned), your friends list and saves can be deleted remotely.
As others have said, if you don't plan on using the remote feature, consider turning it off. Also a warning to keep your passwords up to date and consider using a password manager.
XSplit is being a jerk right now, but here. It works on cloud saves, too. I didn't capture the deletion screen because there isn't one/no prompt given, it just sends you back to the games list.
But yeah, while Nintendo does give you the regular login via e-mail as an option, it's a step in the right direction. Again, this is by no means a way for them to steal all your stuff, but is another way for someone malicious to do evil if they have your credentials.
It's a public service announcement that should your PSN credentials get stolen (not just limited to accounts with unauthorized charges where the user chooses to eat them in order to keep the account and not be banned), your friends list and saves can be deleted remotely.
BREAKING NEWS: If someone has your keys, they can get into your house.
If someone already has access to your PSN credentials, they don't need remote play to fuck with you. You thread is bonzo beans.
And were done here
Yes, but it proves that this method can and will work in the reverse situation, as outlined in my OP.
This is only day 2 or 3 of the service having gone live, too.
Please read the thread again. It proves that it works as intended (and had the fortunate side effect of letting that guy know that another person had access to his PSN details)
What's the problem with a program working as it should?
It's a security hazard because most people that game online have UPNP enabled and the remote play service is on by default on the new firmware. Therefore, you have a ton of people with unchanged credentials from old dumps of third-party breaches using the same info and they can get their console accessed.
From there, the intruder accesses the user's browser, uses a custom DNS on their router gateway to implement a MITM attack and your entire network is pwnt to a crisp. I checked and the PS4 browser is accessible from remote play.
Again, I never said you could do it without their credentials. Not sure if you realize this, but when major sites are hacked and hashed passwords are stolen, the database dumps are often shared publicly and privately. You have to also account for users being targeted directly via phishing or other attempts.If its so easy, have you done any of this at all to another persons PS4 you don't know without their credentials? You still need the login credentials. Remote Play is a feature built upon network features that are inherently gonna have the same vulnerability.
The bottom line is that until the web browser is disabled from remote play, you can gain access to someone's internal network with it if you have their PSN credentials and can access their PS4 using remote play. This isn't hard, InsaneTiger.The problem isn't Remote Play, the same could happen if a hacker grabbed a Vita or PSTV and knew your credentials.
The problem is that without 2-factor authentication, a hacker is able to quickly and easily decipher anybody's credentials. Even 2-factor isn't perfect if they hacker gets clever and employs some social engineering with any gullible customer service rep (see Apple.)
Please stop with this non-sense of Remote Play being the problem because it is not. It is simple a tool that can be exploited if you have a person's credentials.
This isn't hard OP.
THE BOTTOM LINE: Dude! You need their credentials!
The bottom line is that until the web browser is disabled from remote play, you can gain access to someone's internal network with it if you have their PSN credentials and can access their PS4 using remote play. This isn't hard, InsaneTiger.
BREAKING NEWS: If someone has your keys, they can get into your house.
The bottom line is that until the web browser is disabled from remote play, you can gain access to someone's internal network with it if you have their PSN credentials and can access their PS4 using remote play. This isn't hard, InsaneTiger.
And then they do... what? Watch media from my local plex server?
B-b-but you can't do it without their credentials! I'm not trying to argue, I'm just stating facts. Having this on by default is a huge security risk, we aren't arguing the possible semantics of social engineering a company for credentials.
Worth noting that user DoctorWho from the other topic doesn't think his account was compromised until a couple of days ago, where it was made primary account on the hacker's PS4. Therefore, if it was from a prior leaked dump, these accounts are still actively being checked or old compromised accounts are just sitting dormant for a good opportunity - like having access to someone's router gateway and home traffic.
I'm not sure why everyone is coming in this topic failing to acknowledge this and acting like I'm a shill that is shunning Remote Play entirely. It's important people know to lock their console with a passcode or disable Remote Play if they aren't going to use it, as well as changing the default password on their router and checking the SEN site regularly to ensure their PSN account isn't active on any console other than their own.
Configure your router do redirect traffic to phishing pages. https://en.wikipedia.org/wiki/DNS_spoofing
Phishing e-mails don't work because people know to watch the address bar and sender e-mails (view original, etc), plus most stuff just goes to the spam folder. PSN accounts aren't useful on the black market because the accounts are banned from fraud claims - or accounts can be claimed back if the original owner has access to the e-mail. I suspect there is currently little money in PSN accounts, mostly just people hijacking accounts to play a free game or two. Again, you can't gift games on PSN accounts or view full payment information.
Having the ability to get into someone's network, though? A DNS spoof would hijack the address of the site you're visiting behind the scenes and still show the proper web address of the site in your address bar, not the forged address. This would be the phishing attempt the person would want and would be much more appealing with a widespread variety of accounts using different passwords. Different passwords which might include the password you're using on the e-mail of the PSN if it were different, or other accounts with different credentials.
It's no more farfetched than some Russian hacker jacking an account to play a game or two and the account be banned a week later. It opens the floodgates for a much broader hack with a more lucrative payoff.