• Hello Guest, Neogaf is going to be on Scheduled Maintenance for a forum upgrade on 5/28 at 2:00 am EST for a 20 minute period.

Sony had an exploit on their PSN password recovery page and is now fixed

Status
Not open for further replies.
#1
This is a continuation on this story:
http://www.neogaf.com/forum/showthread.php?t=430519

First, to avoid unnecessary panic, let me just say that Sony already took the page down, and are most likely fixing it, and if you were a victim of this, you would get an email warning someone had changed your password, so if you didn't, you're safe.


Now to the whole story:
This guy on twitter ( http://twitter.com/#!/Nyleveia ) was claiming there was an exploit on the password recovery page that allowed anyone with a matching PSN login address and Date of Birth could change your password without you confirming it. Personally I didn't believe him so I gave him my login and dob. He didn't reply for a long time so I went to sleep. This morning however I got these 2 emails.




Sender details
Delivered-To: ut3modsps3@gmail.com
Received: by 10.101.161.8 with SMTP id n8cs99097ano;
Wed, 18 May 2011 02:43:45 -0700 (PDT)
Received: by 10.68.66.8 with SMTP id b8mr2517501pbt.425.1305711824553;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Return-Path: <DoNotReply@ac.playstation.net>
Received: from lvp-sys-prdmx03.sonynei.net (mx3.sonynei.net [173.230.215.35])
by mx.google.com with ESMTP id x9si4116720pbj.255.2011.05.18.02.43.44;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) client-ip=173.230.215.35;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) smtp.mail=DoNotReply@ac.playstation.net
Received: from lvp-p1-npmailt01.sonynei.net (unknown [10.238.58.8])
by lvp-sys-prdmx03.sonynei.net (Postfix) with ESMTP id 2C527BDE2467
for <UT3MODSPS3@gmail.com>; Wed, 18 May 2011 02:28:51 -0700 (PDT)
Date: Wed, 18 May 2011 02:28:51 -0700 (PDT)
From: DoNotReply@ac.playstation.net
To: UT3MODSPS3@gmail.com
Message-ID: <2119057556.2606738.1305710931181.JavaMail.tomcat@lvp-p1-npmailt01.sonynei.net>
Subject: =?ISO-2022-JP?B?W1BsYXlTdGF0aW9uKFIpTmV0?=
=?ISO-2022-JP?B?d29ya10gGyRCJVElOSVvITwlSUpROTkkTiQqQ04kaSQ7GyhC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
The first one is saying that someone had requested to change my password, and that I needed to click the confirmation link to continue. All normal for now, supposedly only people with access to the login address can change it then. HOWEVER the second email is a confirmation that the password was changed and I never clicked the confirmation link... So yeah... my password was successfully changed by someone else.


And where the story gets even more interesting is that Sony are just lying about it. This is their latest tweets.
"Clarification: this maintenance doesn't affect PSN on consoles, only the website you click through to from the password change email."
"Fortunately we have got ISPs to release outstanding emails; unfortunately, a small amount of maintenance is required to improve this process"
Improve email process my ass. They took the password recovery page down because of this problem. Nyleveia warned about it, as confirmed by the latest tweet:
"@PlayStationEU - Thank you for the speedy response guys"
(the tweets warning about the exploit were removed, most likely cause Sony asked him to)

And now they're fixing the problem.



Honestly, I was never bothered by the original hack, no network is secure and I think Sony wasn't to blame and that they handled the entire thing by the book and quite well. This however... this is 100% on them, and what bothers me the most is that they're lying about it.
 
#6
Surprising and annoying that this hole a) existed b) was not discovered in their post-fall security review.

Kudos to Nyleveia though, for finding it and informing Sony.
 
#7
Jarmel said:
Lol so do you even know the password to your own account?
Yes, the password comes listed on the email (its the red box on the pictures), the problem is, once they have the password they can change the login address, and after that you lose your account.
 
#12
Metalmurphy said:
Yes, the password comes listed on the email (its the red box on the pictures), the problem is, once they have the password they can change the login address, and after that you lose your account.
Wait a second...they mail you the password? Uh, they should be encrypting it and storing it in the database so it cannot be unencrypted. They're really not storing the password in plaintext...right?
 
#15
TheBranca18 said:
Wait a second...they mail you the password? Uh, they should be encrypting it and storing it in the database so it cannot be unencrypted. They're really not storing the password in plaintext...right?

I think they post it on their twitter feed so you can be notified easily.
 
#16
TheBranca18 said:
Wait a second...they mail you the password? Uh, they should be encrypting it and storing it in the database so it cannot be unencrypted. They're really not storing the password in plaintext...right?
What makes you think they are? It's normal for you to get the password sent to you by email when your doing the recovery process. It doesn't mean that it's saved on the servers in plain text. We already know they hash the passwords.
 
#19
Metalmurphy said:
What makes you think they are? It's normal for you to get the password sent to you by email when your doing the recovery process. It doesn't mean that it's saved on the servers in plain text. We already know they hash the passwords.
we already know they've made a hash of the passwords.
 
#25
Metalmurphy said:
What makes you think they are? It's normal for you to get the password sent to you by email when your doing the recovery process. It doesn't mean that it's saved on the servers in plain text. We already know they hash the passwords.
No it's not. Did this person that "hacked" your account have your email address? Is there a chance that these are just spoofed emails and this is a massive wind-up?
 
#26
I don't know the details but I guess that the confirmation url is embedded in the webpage somehow. Just URL manipulation to 'force' the confirmation?
 
#30
toythatkills said:
No it's not. Did this person that "hacked" your account have your email address? Is there a chance that these are just spoofed emails and this is a massive wind-up?
To do the hack the person needs to know your log-in email and your full D.O.B.

As for proving it wasn't a massive wind-up, don't you think Metal Murphy would have tried to log into his PSN account afterwards to check?
 
#31
TheBranca18 said:
Wait a second...they mail you the password? Uh, they should be encrypting it and storing it in the database so it cannot be unencrypted. They're really not storing the password in plaintext...right?
They mail you a temporary password that expires within 24 hours. Just like many other services.
 
#34
toythatkills said:
No it's not. Did this person that "hacked" your account have your email address? Is there a chance that these are just spoofed emails and this is a massive wind-up?
He had both my email address (not the password) and my Date of Birth cause I gave him to see if this was real or not.

And no the emails aren't spoofed.

Delivered-To: ut3modsps3@gmail.com
Received: by 10.101.161.8 with SMTP id n8cs99097ano;
Wed, 18 May 2011 02:43:45 -0700 (PDT)
Received: by 10.68.66.8 with SMTP id b8mr2517501pbt.425.1305711824553;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Return-Path: <DoNotReply@ac.playstation.net>
Received: from lvp-sys-prdmx03.sonynei.net (mx3.sonynei.net [173.230.215.35])
by mx.google.com with ESMTP id x9si4116720pbj.255.2011.05.18.02.43.44;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) client-ip=173.230.215.35;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) smtp.mail=DoNotReply@ac.playstation.net
Received: from lvp-p1-npmailt01.sonynei.net (unknown [10.238.58.8])
by lvp-sys-prdmx03.sonynei.net (Postfix) with ESMTP id 2C527BDE2467
for <UT3MODSPS3@gmail.com>; Wed, 18 May 2011 02:28:51 -0700 (PDT)
Date: Wed, 18 May 2011 02:28:51 -0700 (PDT)
From: DoNotReply@ac.playstation.net
To: UT3MODSPS3@gmail.com
Message-ID: <2119057556.2606738.1305710931181.JavaMail.tomcat@lvp-p1-npmailt01.sonynei.net>
Subject: =?ISO-2022-JP?B?W1BsYXlTdGF0aW9uKFIpTmV0?=
=?ISO-2022-JP?B?d29ya10gGyRCJVElOSVvITwlSUpROTkkTiQqQ04kaSQ7GyhC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
 
#35
Tntnnbltn said:
To do the hack the person needs to know your log-in email and your full D.O.B.

As for proving it wasn't a massive wind-up, don't you think Metal Murphy would have tried to log into his PSN account afterwards to check?
Well, the OP doesn't say if he did or not.
 
#36
Tntnnbltn said:
As for proving it wasn't a massive wind-up, don't you think Metal Murphy would have tried to log into his PSN account afterwards to check?
I don't know, he never specified.

I'm certainly dubious if the hacker had his email, though.
 
#37
don't really give a shit about passwords being lost/compromised as long as I get on there and wipe off any credit card info. PSN cards only
 
#39
toythatkills said:
No it's not. Did this person that "hacked" your account have your email address? Is there a chance that these are just spoofed emails and this is a massive wind-up?
i'm assuming metalmurphy tried to then log in to his account with that password and it worked, so i have no reason not to believe him
 
#43
News at ten: Sony notify PSN users that their date of birth information has been breached. PSN taken down immediately - ETA "in a couple of days" - when it's back up, upon logging in, sony will require all users to change their date of birth before accessing PSN.

Also - due to "security reasons" the "feature" of having a choice of input will be removed, as this was never explicitly promised when users purchased the ps3. Instead, everyone will share one big PSN account which will consist of two buttons, one that can be clicked to download Little Big Planet and another that can be clicked to listen to a selected Sony/BMG artist*.

*Artists subject to change and rootkit installation. Limited to one play on one machine for the lifetime of offer.
 
#45
gcubed said:
i'm assuming metalmurphy tried to then log in to his account with that password and it worked, so i have no reason not to believe him
Actually no I didn't. The websites were already down when I woke up and saw the emails. But the emails are indeed real and came from Sony servers. They are both "asking for confirmation" and a "final confirmation" email, so the password was indeed changed.

kurtrussell said:
News at ten: Sony notify PSN users that their date of birth information has been breached. PSN taken down immediately - ETA "in a couple of days" - when it's back up, upon logging in, sony will require all users to change their date of birth before accessing PSN.
DoB wasn't breached, to be clear for this to happen they would have had to gotten your PSN email address and DoB from somewhere else. In this case, I told them.
 
#46
Metalmurphy said:
Actually no I didn't. The websites were already down when I woke up and saw the emails. But the emails are indeed real and came from Sony servers. They are both "asking for confirmation" and a "final confirmation" email, so the password was indeed changed.
You don't think these accusations are all a bit premature if you don't even know whether your password's been changed?
 
#49
But I didn't get my password mailed to me in text in the confirmation emails. Is there something different in the Japanese and North American password change systems?
 
#50
toythatkills said:
You don't think this is all a bit premature if you don't even know whether your password's been changed?
How is it premature I got an email, from Sony, telling me my password was changed after I gave my info, don't think you need more confirmation then that.

And Sony took the password recovery page down afterwards.
 
Status
Not open for further replies.