• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

PSN accounts can possibly be compromised via new hack (UNCONFIRMED)

Status
Not open for further replies.

surly

Banned
A guy on Twitter was talking about a vulnerability that allows someone to take ownership of a PSN account using just an email address and date of birth. That same guy has now posted this article on his site: -

I want to make this clear to ALL PSN users. Despite the methods currently employed to force a password change when you first reconnect to the PlayStation network, your accounts still remain unsafe.

A new hack is currently doing the rounds in dark corners of the internet that allows the attacker the ability to change your password using only your account’s email and date of birth.

It has been proven to me through direct demonstration on a test account, so I am without any shadow of a doubt that this is real.

I would suggest that you secure your accounts now by creating a completely new email that you will not use ANYWHERE ELSE, and switching your PSN account to use this new email. You risk having your account stolen, when this hack becomes more public, if you do not make sure that your PSN account’s email is one that cannot be affiliated with or otherwise traced to you.

While we originally assumed this was a poor hoax designed only to stir the community into another frenzy, the individual who we are in contact with requested just two pieces of information from us: this being an account email and the date of birth used for that account. We promptly created a new account via us.playstation.com and provided the individual with the email address and date of birth used.

Roughly a minute later they requested that we try to login with the password we used for the account (which they did not know at any point), and sure enough, we were presented with an invalid username and/or password prompt.

In addition to this, within a few minutes we received an email from Sony stating the following:

This email confirms that your PlayStation(R)Network password account has been changed successfully.

If you did not change your password…
This email has been sent to you because the password for the relevant PlayStation(R)Network account has been changed.
If you did not change your password, please contact Customer Support at the following address:

networksupport@uk.playstation.com

The PlayStation(R)Network Team


To the folks over at N4G, I realize that you may be hesitant to believe these claims however I can assure you that they are true.
Details of the exploit have been distributed via a certain PlayStation 3 “hacks” IRC server and are currently being utilized by a small group of people.

In creating this news article we want only to warn people and illustrate a definite way to protect their account while they can – I find the concept of burying ones head in the sand and refusing to believe something until the details of the exploit become widely known and peoples accounts are being compromised a very illogical way of handling things.

Look at things from my perspective, what options do you have here?, Do nothing, then run the risk of having your account compromised because a small relatively unknown site told you to change your email address and you didn’t listen, or take a few minutes of your time to change your email “Just in case”, then be safe in the knowledge that regardless of the outcome, your account is safe.

We have contacted Sony but do not expect any response until morning.

While we are hesitant to reveal too many details regarding how the exploit is performed, for obvious reason, we can say that the exploit specifically involves the web address https://store.playstation.com/accounts/reset/resetPassword.action?token When used in combination with another web address (normally used for password recovery) certain key details can then be extracted and used to trick the server in to allowing the password of an account to be changed without a valid Sony-issued security token.

We will update with further details as soon as possible.
http://sony.nyleveia.com/2011/05/17/warning-all-psn-users-your-accounts-are-still-not-safe/

This is unconfirmed, but the guy that wrote the article seems convinced and he's contacted Sony to let them know.
 

sazabirules

Unconfirmed Member
This still doesn't add up. They can all of a sudden compromise your account by knowing a DOB and email? You still need the email password.
 

Davedough

Member
But the password manager will be sent to the registered email. If your passwords are different, then they've got nothing.
 

alr1ght

bish gets all the credit :)
sazabirules said:
This still doesn't add up. They can all of a sudden compromise your account by knowing a DOB and email? You still need the email password.
While we are hesitant to reveal too many details regarding how the exploit is performed, for obvious reason, we can say that the exploit specifically involves the web address https://store.playstation.com/accoun...d.action?token When used in combination with another web address (normally used for password recovery) certain key details can then be extracted and used to trick the server in to allowing the password of an account to be changed without a valid Sony-issued security token.
 

LiquidMetal14

hide your water-based mammals
sazabirules said:
This still doesn't add up. They can all of a sudden compromise your account by knowing a DOB and email? You still need the email password.
Someone refute this as this is not thread worthy if so. Unless there is no other thread where this is relevant.
 

confused

Banned
And so it continues...... Poor Sony (seves them right for shitty security)

Now is the time to kill PSN and start over fresh.
 

Kagari

Crystal Bearer
2cdbvvd.gif
 

LiquidMetal14

hide your water-based mammals
DevelopmentArrested said:
Not even gonna bother with PSN again. What a joke
Basing it off unconfirmed things at this point. Right.

Be mad at idiots trying to fiddle with things they have no business with.
 

XiaNaphryz

LATIN, MATRIPEDICABUS, DO YOU SPEAK IT
LiquidMetal14 said:
Someone refute this as this is not thread worthy if so. Unless there is no other thread where this is relevant.
Well, from the OP:
While we are hesitant to reveal too many details regarding how the exploit is performed, for obvious reason, we can say that the exploit specifically involves the web address https://store.playstation.com/accoun...d.action?token When used in combination with another web address (normally used for password recovery) certain key details can then be extracted and used to trick the server in to allowing the password of an account to be changed without a valid Sony-issued security token.
 
Status
Not open for further replies.
Top Bottom