• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
  • The Politics forum has been nuked. Please do not bring political discussion to the rest of the site, or you will be removed. Thanks.

Sony had an exploit on their PSN password recovery page and is now fixed

Status
Not open for further replies.

kurtrussell

Banned
Oct 21, 2010
2,559
0
0
brentech said:
You're just a junior, don't bring that shit here. It won't end well.

Warning shots fired.

Care to tell me what "shit" I brought from behind the safety of your keyboard?
 

Benedict

Member
Jul 30, 2004
5,098
0
1,490
47
Sweden
So... is my info safe now?

I'm having a meltdown in my brain right now, after coming home from work, battling with computers and IT-support from the year 1945...
 

Luckyman

Banned
Apr 30, 2006
4,688
0
0
I dont know why anyone has trust that Sony has stepped up security.Japan says not so much

Good luck Sony
 

Massa

Member
Jan 16, 2009
16,846
1
0
MarkMclovin said:
Hold on. If you had to click on the link that was sent to your email - of which only you have access to - then how was that done?

Have I missed something here?

He didn't have to click anything.

When you request a new password Sony e-mails you a token that allows you to change it on their website. The problem here is that the person who requested that token somehow got access to it without having to read the e-mail Sony sent (or they found a way to reset the password without the token at all, but that's much more unlikely).
 

Seraphinianus

Banned
Sep 2, 2010
10,734
0
0
This will require at least 10 more little japanese men bowing before they earn my trust back.



Can't wait to see the excuses in this thread. This company is fucked up and they don't give a shit about your security.
 

kurtrussell

Banned
Oct 21, 2010
2,559
0
0
So essentially, the URL had a '&=username&dateofbirth' type string in it and it wasn't salted?

And that went past three independent security experts? Sheesh - get your consulting fees back from them, Sony.
 

test_account

XP-39C²
Mar 22, 2007
23,612
2
1,130
XiaNaphryz said:
Read through the thread man and get caught up! Only took me 5 min. ;P
I read through some posts, but not all, so i must have missed it. Where was it mentioned by the way? :)
 

brentech

Member
Dec 11, 2008
23,742
0
685
kurtrussell said:
Care to tell me what "shit" I brought from behind the safety of your keyboard?
Threats are cool.

Anyways, the whole otherOS and firmware shit simply doesn't end well, specially in a thread that has nothing to do with it. I'm simply saying don't reach here, as it has got many others banned, but if that's how you choose to respond it's probably for the better.
 

XiaNaphryz

LATIN, MATRIPEDICABUS, DO YOU SPEAK IT
Nov 5, 2005
52,171
0
0
SF Bay Area
gofreak said:
Rather frightening that this could slip through (supposedly) multiple independent audits by external experts.
That's the key word - considering the amount of money this is going to cost them overall, what if they skimped out and did the bare minimum in this area trying to find cost-savings?
 

Evlar

Banned
Dec 22, 2006
14,386
1
0
Massa said:
He didn't have to click anything.

When you request a new password Sony e-mails you a token that allows you to change it on their website. The problem here is that the person who requested that token somehow got access to it without having to read the e-mail Sony sent (or they found a way to reset the password without the token at all, but that's much more unlikely).
Which would indicate the "token" can somehow be determined from the data embedded in the original password reset page or from the personal data someone would already possess at that point in the reset process.
 

gofreak

GAF's Bob Woodward
Jun 8, 2004
43,343
2
1,645
XiaNaphryz said:
That's the key word - considering the amount of money this is going to cost them overall, what if they skimped out and did the bare minimum in this area trying to find cost-savings?

Given what it cost them in revenue, I really doubt it - the fees to bring in these people would be miniscule in comparison to what the amount of offline time was costing them, and they didn't 'skimp' on that amount of time.
 

Fersis

It is illegal to Tag Fish in Tag Fishing Sanctuaries by law 38.36 of the GAF Wildlife Act
Apr 21, 2008
27,396
0
0
Argentina
TTP said:
I don't see it in my URL.
The 'haxxorz' need the email and Date of Birth to 'haxx'
Because thats why you need to reset the account password.

The 'haxx' itself must be a way to get the password reset email from SONY and then change the URL.

But well theyre fixing it now.
 

Seraphinianus

Banned
Sep 2, 2010
10,734
0
0
XiaNaphryz said:
That's the key word - considering the amount of money this is going to cost them overall, what if they skimped out and did the bare minimum in this area trying to find cost-savings?



then it would be the original hack all over again.
 

TTP

Have a fun! Enjoy!
Jun 10, 2004
24,539
3
1,560
Italy
www.iwagglevr.com
Fersis said:
The 'haxxorz' need the email and Date of Birth to 'haxx'
Because thats why you need to reset the account password.

The 'haxx' itself must be a way to get the password reset email from SONY and then change the URL.

But well theyre fixing it now.

Yeah, I know that. I'm just saying that info is not present in the verification url.
 

Hanmik

Member
May 20, 2009
12,684
7
0
46
Faroe Islands
www.joypad.dk
Smision said:
This will require at least 10 more little japanese men bowing before they earn my trust back.



Can't wait to see the excuses in this thread. This company is fucked up and they don't give a shit about your security.

do you want to join the "club"..?

 

test_account

XP-39C²
Mar 22, 2007
23,612
2
1,130
TTP said:
They aren't allowing PSN restoration in Japan until Sony provides some proof of increased security.

Japan is still PSN-less.
True, but the security can still be improved :) It just depends on what type of proof they need and how they want to aquire this proof, maybe it takes some time. I wonder what type of proof they want to see.
 

Tntnnbltn

Member
Jul 12, 2007
8,579
0
0
test_account said:
I see. If that is the case, then it is pretty crazy, being able to change anyone's PSN password just by using Sony's own website. It will probably not be a big problem in general since you need the date of birth info to be able to do it, and Sony will most likely fix it now, but still.
Lucky for us there haven't been any major intrusions in PSN security recently that, among other things, revealed people's DOBs...
 

TTP

Have a fun! Enjoy!
Jun 10, 2004
24,539
3
1,560
Italy
www.iwagglevr.com
test_account said:
True, but the security can still be improved :) It just depends on what type of proof they need and how they want to aquire this proof, maybe it takes some time. I wonder what type of proof they want to see.

I wonder that as well.

This password reset thing doesn't help matters tho. :D
 

Zoe

Member
Jan 3, 2007
45,101
2
1,075
39
Austin
larvi said:
Great, and the DoB was the one thing that it doesn't appear I can change in my profile. I changed my other personal information to bogus info but couldn't figure out how to change that. Does anyone know a way to do it?

That is the one thing you will never be able to change (at least by yourself). There are implications for access controls and internet laws.
 

test_account

XP-39C²
Mar 22, 2007
23,612
2
1,130
Tntnnbltn said:
Lucky for us there haven't been any major intrusions in PSN security recently that, among other things, revealed people's DOBs...
That is a good point, i actually thought about that :) But unless that info get widespread on the net (which hasnt happened yet as far as i know), i dont think that it will be a big problem in general, and especially now that Sony fixes this problem (most likely).


TTP said:
I wonder that as well.

This password reset thing doesn't help matters tho. :D
True hehe :\ Hopefully for people in Japan/Asia, this wont delay PSN getting back for a long time.
 

zomgbbqftw

Banned
Jan 21, 2011
14,538
0
0
kurtrussell said:
Any news on Sony UK and the Data Protection Act? From what I've had constantly drummed into me over the last seven years, Sony could theoretically be fined a large amount per breached account...

Play.com didn't get fined, the government didn't get fined, the MoD didn't get fined. No one gets fined.
 

Clear

Member
Feb 2, 2009
13,772
10,006
1,405
Tntnnbltn said:
Lucky for us there haven't been any major intrusions in PSN security recently that, among other things, revealed people's DOBs...

To which point the obvious retort is, if you've already been hacked and your personal information mined, what's being lost by getting hacked again especially when all e-commerce is suspended?

Seems like griefing to me.
 

TTP

Have a fun! Enjoy!
Jun 10, 2004
24,539
3
1,560
Italy
www.iwagglevr.com
Clear said:
To which point the obvious retort is, if you've already been hacked and your personal information mined, what's being lost by getting hacked again especially when all e-commerce is suspended?

Seems like griefing to me.

Well, you can say that because we have discovered about this exploit now.

Imagine if we didn't, and soon after the Store was back up you find out you can't log in (wrong password) and on top of that you get emails confirming purchases from the Store you never did.
 

Seraphinianus

Banned
Sep 2, 2010
10,734
0
0
Hanmik said:
do you want to join the "club"..?

http://i.imgur.com/Pu6rf.jpg[/IG][/QUOTE]


really? this is how you guys are responding these days...ok, two can play---



[img]http://4.bp.blogspot.com/_ce8nz6K9xj8/SolYvQ5fd0I/AAAAAAAAASs/_8Nj11wV6XU/s320/StockholmSyndromeDerekWebb.jpg
 

Loudninja

Member
Jul 30, 2007
53,088
4
0
32
Chicago
TTP said:
Well, you can say that because we have discovered about this exploit now.

Imagine if we didn't, and soon after the Store was back up you find out you can't log in (wrong password) and on top of that you get emails confirming purchases from the Store you never did.
Yep.
 

MarkMclovin

Member
Dec 5, 2008
8,866
2
0
Metalmurphy said:
That's the exploit. They managed to do it by manually changing the URL or something, without need to click the confirmation link that was only sent to the email.

Ah I get it now thanks.

Maybe there is no randomnes to that URL that you need to click on apart from your email address and DOB within it?
 

Azih

Member
May 31, 2004
19,276
3
0
40
Canada
XiaNaphryz said:
That's the key word - considering the amount of money this is going to cost them overall, what if they skimped out and did the bare minimum in this area trying to find cost-savings?
Sony's a biig company, I wouldn't be surprised if Sony hired people to comb through the back end and didn't think of doing the same for their web front end.
 

Igo

Member
May 10, 2008
3,675
0
0
alphaNoid said:
Sadly people will convince themselves free stuff negates all of Sonys mishaps.
The more 'mishaps' and free shit for me, the better.
 
Status
Not open for further replies.