Sony had an exploit on their PSN password recovery page and is now fixed

Status
Not open for further replies.

Metalmurphy

Banned
Jan 17, 2007
32,672
0
0
Portugal
steamcommunity.com
This is a continuation on this story:
http://www.neogaf.com/forum/showthread.php?t=430519

First, to avoid unnecessary panic, let me just say that Sony already took the page down, and are most likely fixing it, and if you were a victim of this, you would get an email warning someone had changed your password, so if you didn't, you're safe.


Now to the whole story:
This guy on twitter ( http://twitter.com/#!/Nyleveia ) was claiming there was an exploit on the password recovery page that allowed anyone with a matching PSN login address and Date of Birth could change your password without you confirming it. Personally I didn't believe him so I gave him my login and dob. He didn't reply for a long time so I went to sleep. This morning however I got these 2 emails.




Sender details
Delivered-To: ut3modsps3@gmail.com
Received: by 10.101.161.8 with SMTP id n8cs99097ano;
Wed, 18 May 2011 02:43:45 -0700 (PDT)
Received: by 10.68.66.8 with SMTP id b8mr2517501pbt.425.1305711824553;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Return-Path: <DoNotReply@ac.playstation.net>
Received: from lvp-sys-prdmx03.sonynei.net (mx3.sonynei.net [173.230.215.35])
by mx.google.com with ESMTP id x9si4116720pbj.255.2011.05.18.02.43.44;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) client-ip=173.230.215.35;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) smtp.mail=DoNotReply@ac.playstation.net
Received: from lvp-p1-npmailt01.sonynei.net (unknown [10.238.58.8])
by lvp-sys-prdmx03.sonynei.net (Postfix) with ESMTP id 2C527BDE2467
for <UT3MODSPS3@gmail.com>; Wed, 18 May 2011 02:28:51 -0700 (PDT)
Date: Wed, 18 May 2011 02:28:51 -0700 (PDT)
From: DoNotReply@ac.playstation.net
To: UT3MODSPS3@gmail.com
Message-ID: <2119057556.2606738.1305710931181.JavaMail.tomcat@lvp-p1-npmailt01.sonynei.net>
Subject: =?ISO-2022-JP?B?W1BsYXlTdGF0aW9uKFIpTmV0?=
=?ISO-2022-JP?B?d29ya10gGyRCJVElOSVvITwlSUpROTkkTiQqQ04kaSQ7GyhC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
The first one is saying that someone had requested to change my password, and that I needed to click the confirmation link to continue. All normal for now, supposedly only people with access to the login address can change it then. HOWEVER the second email is a confirmation that the password was changed and I never clicked the confirmation link... So yeah... my password was successfully changed by someone else.


And where the story gets even more interesting is that Sony are just lying about it. This is their latest tweets.
"Clarification: this maintenance doesn't affect PSN on consoles, only the website you click through to from the password change email."
"Fortunately we have got ISPs to release outstanding emails; unfortunately, a small amount of maintenance is required to improve this process"
Improve email process my ass. They took the password recovery page down because of this problem. Nyleveia warned about it, as confirmed by the latest tweet:
"@PlayStationEU - Thank you for the speedy response guys"
(the tweets warning about the exploit were removed, most likely cause Sony asked him to)

And now they're fixing the problem.



Honestly, I was never bothered by the original hack, no network is secure and I think Sony wasn't to blame and that they handled the entire thing by the book and quite well. This however... this is 100% on them, and what bothers me the most is that they're lying about it.
 

iNvid02

Member
Aug 16, 2009
18,280
18
910
just a DOB is not secure enough, everyone knows my DOB

thats it, i want facial recognitions and fingerprint scans in ps4
 

Dragon

Banned
Jul 7, 2007
24,879
0
0
Metalmurphy said:
Yes, the password comes listed on the email (its the red box on the pictures), the problem is, once they have the password they can change the login address, and after that you lose your account.
Wait a second...they mail you the password? Uh, they should be encrypting it and storing it in the database so it cannot be unencrypted. They're really not storing the password in plaintext...right?
 

Raide

Member
Oct 29, 2007
24,342
1
0
Yikes, one mess after another. So what are the chances of all those that changed their PSN Passwords, having to re-do it again?
 

mrklaw

MrArseFace
Jun 10, 2004
59,901
0
0
Windsor, UK
TheBranca18 said:
Wait a second...they mail you the password? Uh, they should be encrypting it and storing it in the database so it cannot be unencrypted. They're really not storing the password in plaintext...right?

I think they post it on their twitter feed so you can be notified easily.
 

Metalmurphy

Banned
Jan 17, 2007
32,672
0
0
Portugal
steamcommunity.com
TheBranca18 said:
Wait a second...they mail you the password? Uh, they should be encrypting it and storing it in the database so it cannot be unencrypted. They're really not storing the password in plaintext...right?
What makes you think they are? It's normal for you to get the password sent to you by email when your doing the recovery process. It doesn't mean that it's saved on the servers in plain text. We already know they hash the passwords.
 

mrklaw

MrArseFace
Jun 10, 2004
59,901
0
0
Windsor, UK
Metalmurphy said:
What makes you think they are? It's normal for you to get the password sent to you by email when your doing the recovery process. It doesn't mean that it's saved on the servers in plain text. We already know they hash the passwords.
we already know they've made a hash of the passwords.
 

toythatkills

Member
Dec 5, 2008
14,337
3
0
Thames Ditton, UK
Metalmurphy said:
What makes you think they are? It's normal for you to get the password sent to you by email when your doing the recovery process. It doesn't mean that it's saved on the servers in plain text. We already know they hash the passwords.
No it's not. Did this person that "hacked" your account have your email address? Is there a chance that these are just spoofed emails and this is a massive wind-up?
 

herod

Member
Aug 9, 2006
5,117
14
1,000
I don't know the details but I guess that the confirmation url is embedded in the webpage somehow. Just URL manipulation to 'force' the confirmation?
 

Curufinwe

Member
May 20, 2009
31,241
2
725
CadetMahoney said:
thread needs some corporate love.
Thread needs more love for MetalMurphy having the guts to send his details to the guy on Twitter and proving the story was true.
 

Barrett2

Member
Dec 7, 2007
18,271
1
0
panda21 said:
unbelievable. there is literally nothing they could do to make me trust them again at this point.
Can I interest you in a free Syphon Filter PSP download?

Ehhhh??
 

Tntnnbltn

Member
Jul 12, 2007
8,582
0
0
toythatkills said:
No it's not. Did this person that "hacked" your account have your email address? Is there a chance that these are just spoofed emails and this is a massive wind-up?
To do the hack the person needs to know your log-in email and your full D.O.B.

As for proving it wasn't a massive wind-up, don't you think Metal Murphy would have tried to log into his PSN account afterwards to check?
 

Zoe

Member
Jan 3, 2007
45,107
2
1,055
37
Austin
TheBranca18 said:
Wait a second...they mail you the password? Uh, they should be encrypting it and storing it in the database so it cannot be unencrypted. They're really not storing the password in plaintext...right?
They mail you a temporary password that expires within 24 hours. Just like many other services.
 

Metalmurphy

Banned
Jan 17, 2007
32,672
0
0
Portugal
steamcommunity.com
toythatkills said:
No it's not. Did this person that "hacked" your account have your email address? Is there a chance that these are just spoofed emails and this is a massive wind-up?
He had both my email address (not the password) and my Date of Birth cause I gave him to see if this was real or not.

And no the emails aren't spoofed.

Delivered-To: ut3modsps3@gmail.com
Received: by 10.101.161.8 with SMTP id n8cs99097ano;
Wed, 18 May 2011 02:43:45 -0700 (PDT)
Received: by 10.68.66.8 with SMTP id b8mr2517501pbt.425.1305711824553;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Return-Path: <DoNotReply@ac.playstation.net>
Received: from lvp-sys-prdmx03.sonynei.net (mx3.sonynei.net [173.230.215.35])
by mx.google.com with ESMTP id x9si4116720pbj.255.2011.05.18.02.43.44;
Wed, 18 May 2011 02:43:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) client-ip=173.230.215.35;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of DoNotReply@ac.playstation.net designates 173.230.215.35 as permitted sender) smtp.mail=DoNotReply@ac.playstation.net
Received: from lvp-p1-npmailt01.sonynei.net (unknown [10.238.58.8])
by lvp-sys-prdmx03.sonynei.net (Postfix) with ESMTP id 2C527BDE2467
for <UT3MODSPS3@gmail.com>; Wed, 18 May 2011 02:28:51 -0700 (PDT)
Date: Wed, 18 May 2011 02:28:51 -0700 (PDT)
From: DoNotReply@ac.playstation.net
To: UT3MODSPS3@gmail.com
Message-ID: <2119057556.2606738.1305710931181.JavaMail.tomcat@lvp-p1-npmailt01.sonynei.net>
Subject: =?ISO-2022-JP?B?W1BsYXlTdGF0aW9uKFIpTmV0?=
=?ISO-2022-JP?B?d29ya10gGyRCJVElOSVvITwlSUpROTkkTiQqQ04kaSQ7GyhC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
 

Akkad

Banned
Apr 1, 2011
2,262
1
0
Tntnnbltn said:
To do the hack the person needs to know your log-in email and your full D.O.B.

As for proving it wasn't a massive wind-up, don't you think Metal Murphy would have tried to log into his PSN account afterwards to check?
Well, the OP doesn't say if he did or not.
 

toythatkills

Member
Dec 5, 2008
14,337
3
0
Thames Ditton, UK
Tntnnbltn said:
As for proving it wasn't a massive wind-up, don't you think Metal Murphy would have tried to log into his PSN account afterwards to check?
I don't know, he never specified.

I'm certainly dubious if the hacker had his email, though.
 

mrklaw

MrArseFace
Jun 10, 2004
59,901
0
0
Windsor, UK
don't really give a shit about passwords being lost/compromised as long as I get on there and wipe off any credit card info. PSN cards only
 

gcubed

Member
Mar 7, 2007
25,836
0
0
Foster City, CA
toythatkills said:
No it's not. Did this person that "hacked" your account have your email address? Is there a chance that these are just spoofed emails and this is a massive wind-up?
i'm assuming metalmurphy tried to then log in to his account with that password and it worked, so i have no reason not to believe him
 

kurtrussell

Banned
Oct 21, 2010
2,559
0
0
News at ten: Sony notify PSN users that their date of birth information has been breached. PSN taken down immediately - ETA "in a couple of days" - when it's back up, upon logging in, sony will require all users to change their date of birth before accessing PSN.

Also - due to "security reasons" the "feature" of having a choice of input will be removed, as this was never explicitly promised when users purchased the ps3. Instead, everyone will share one big PSN account which will consist of two buttons, one that can be clicked to download Little Big Planet and another that can be clicked to listen to a selected Sony/BMG artist*.

*Artists subject to change and rootkit installation. Limited to one play on one machine for the lifetime of offer.
 

Metalmurphy

Banned
Jan 17, 2007
32,672
0
0
Portugal
steamcommunity.com
gcubed said:
i'm assuming metalmurphy tried to then log in to his account with that password and it worked, so i have no reason not to believe him
Actually no I didn't. The websites were already down when I woke up and saw the emails. But the emails are indeed real and came from Sony servers. They are both "asking for confirmation" and a "final confirmation" email, so the password was indeed changed.

kurtrussell said:
News at ten: Sony notify PSN users that their date of birth information has been breached. PSN taken down immediately - ETA "in a couple of days" - when it's back up, upon logging in, sony will require all users to change their date of birth before accessing PSN.
DoB wasn't breached, to be clear for this to happen they would have had to gotten your PSN email address and DoB from somewhere else. In this case, I told them.
 

toythatkills

Member
Dec 5, 2008
14,337
3
0
Thames Ditton, UK
Metalmurphy said:
Actually no I didn't. The websites were already down when I woke up and saw the emails. But the emails are indeed real and came from Sony servers. They are both "asking for confirmation" and a "final confirmation" email, so the password was indeed changed.
You don't think these accusations are all a bit premature if you don't even know whether your password's been changed?
 

Azih

Member
May 31, 2004
19,276
2
0
38
Canada
But I didn't get my password mailed to me in text in the confirmation emails. Is there something different in the Japanese and North American password change systems?
 

Metalmurphy

Banned
Jan 17, 2007
32,672
0
0
Portugal
steamcommunity.com
toythatkills said:
You don't think this is all a bit premature if you don't even know whether your password's been changed?
How is it premature I got an email, from Sony, telling me my password was changed after I gave my info, don't think you need more confirmation then that.

And Sony took the password recovery page down afterwards.
 
Status
Not open for further replies.