• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
  • The Politics forum has been nuked. Please do not bring political discussion to the rest of the site, or you will be removed. Thanks.

Sony had an exploit on their PSN password recovery page and is now fixed

Status
Not open for further replies.

ghst

thanks for the laugh
May 9, 2006
15,206
2
0
London, UK
HaRyu said:
And if the graphics card in your PC dies... you're going to be spending less than $150 to replace it?

PC gaming is too expensive for me, only because I have bad luck w/ hardware... I keep killing my graphics cards every 6 months. And I buy the $180+ cards usually.
boy are you gonna be pissed when you find out about RMAs.
 

Mithos

Member
Apr 26, 2006
6,261
704
1,565
Sweden
So what if I have already changed my passwords like 5 minutes after PSN started up, could they still change the password AGAIN for me if they wanted?

Can still login to PSN on the PS3 using the new password I made at the time of PSN resurrection.
 

Massa

Member
Jan 16, 2009
16,846
1
0
iapetus said:
I know this, but there was some confusion among others about it. But the PSN+ offer was touted as providing 'free games' by some, which isn't the case (see them as a free rental, I guess...)

They most definitely are free games. Just like the games I play on my web browser for free are free even if they're taken offline tomorrow.

Technically, I suppose, people are granted a license to use the game which expires unlike the license they normally get when they directly pay for the game. In neither case do they "own" the software (instead, own a license to use it), but in both cases they get to play it in its entirety.
 

FirstInHell

Banned
Apr 15, 2005
1,552
0
0
omg
HaRyu said:
Are we going to keep track of all the people who are jumping ship so we can call them trolls later?

Which reminds me, whatever happened to that guy who sold two PS3s and 45 games? Did he have a 3rd PS3?

Sold them all!
 
Mar 16, 2011
6,492
0
680
Zoe said:
So this has been around since the beginning?

Makes sense that it wasn't caught then.
If I knew your email and DOB I could have taken control of your account since the online sites creation. It has always been like this. It's kinda bad the media is probably gonna blow this up when arguably its always been a problem.
 

Zoe

Member
Jan 3, 2007
45,101
2
1,075
39
Austin
Mithos said:
So what if I have already changed my passwords like 5 minutes after PSN started up, could they still change the password AGAIN for me if they wanted?

Can still login to PSN on the PS3 using the new password I made at the time of PSN resurrection.

Only if Sony doesn't have this fixed when the restore page comes back up.

You would still receive the notification emails, however, and they instruct you to contact support if your password was changed on you.
 

alphaNoid

Banned
Mar 8, 2010
8,322
0
0
At this point I don't blame people for jumping ship, or at least refusing to use PSN services going forward. Clearly the network still isn't secure.
 

test_account

XP-39C²
Mar 22, 2007
23,612
2
1,130
MTMBStudios said:
I thought this was kind of lazy when I noticed it a long time ago (so on my alt accounts I used fake DOBs). How is it no one noticed this on the internet? This isn't some huge debacle, they are going to make the site require email verification (like it should) or make you change your email. I mean honestly people's friends/anyone could have stolen your accounts SINCE THE BEGINNING of PSN if they knew your date of birth.
How long is "a long time ago"?

EDIT: Already asked. I guess i should have updated the page before i posted =)
 
Mar 16, 2011
6,492
0
680
alphaNoid said:
At this point I don't blame people for jumping ship, or at least refusing to use PSN services going forward. Clearly the network still isn't secure.
Yeah, people should jump ship... over a weird password reset feature that has been there since the beginning of PSN?

I noticed it roughly about a year or two ago when I had to reset a password.
Edit: I just checked, I noticed this about 1/20/2010 when I had an incident on my account. I guess I should have mentioned it to people, cause apparently no one else did.
 
Dec 7, 2008
2,040
0
975
Pureauthor said:
What's going on in Sony.

No, seriously. what is going on in there?


It is now a real Comedy of Errors. Always if you think there couldn't be any more embarrassment there is a new low point.

I'm beginning to feel pity for them, seriously.
 

HaRyu

Unconfirmed Member
Nov 7, 2007
3,247
0
0
Combichristoffersen said:
What are you doing to your GPUs? :| I've got a GeForce 6200 in my old desktop PC, shit's over 5 years old by now, but it's still working just fine

Room gets practically no AC, temps inside the old computer got insanely hot, live in Florida...
Its fine during the cold months, but hell, computer pretty much was useless during hot weather.
I also have to point out that CIVILIZATION IV are the reasons why my cards die. Yes, that game. Yes, that's such a stupid reason to kill the cards, I am completely aware of that, but every time my cards die, its always when I'm in the middle of playing Civ 4.
EVERY.
GODDAMN.
TIME.

LUCKILY- That POS computer is no more, replaced it w/ a new rig back in Feb/March. Different case, different fans, different everything, hopefully won't give me as much trouble.
 

Kagari

Crystal Bearer
Nov 28, 2007
60,684
2
1,410
Noblesville, IN
www.novacrystallis.com
alphaNoid said:
At this point I don't blame people for jumping ship, or at least refusing to use PSN services going forward. Clearly the network still isn't secure.

Sounds like you did. You've had the same negative tone in every single thread on the subject, and are lucky you weren't banned in the mass cull that happened previously.
 

Combichristoffersen

Combovers don't work when there is no hair
Jun 26, 2009
23,334
2
1,030
Norway
MTMBStudios said:
Yeah, people should jump ship... over a weird password reset feature that has been there since the beginning of PSN?

I noticed it roughly about a year or two ago when I had to reset a password.
Edit: I just checked, I noticed this about 1/20/2010 when I had an incident on my account. I guess I should have mentioned it to people, cause apparently no one else did.

If it's been a vulnerability since PSN first opened, without Sony doing anything to fix it even though it's been known to people, I'm completely lost for words.
 

Loudninja

Member
Jul 30, 2007
53,088
3
0
32
Chicago
alphaNoid said:
At this point I don't blame people for jumping ship, or at least refusing to use PSN services going forward. Clearly the network still isn't secure.
What does this have to do with the network?
 

larvi

Member
Jul 6, 2007
3,569
0
0
HaRyu said:
And if you're actually wondering why I replace my cards every six months, it's because I'm lazy to use the warranty, and usually by that time, I can usually buy a better card anyway, so I do that. :p

Well, you shouldn't be using that as a criticism of PC hardware then since it's your choice. That's where PCs have the advantage is in upgrade options, rather than spending $150 to replace/refurbish several year old technology you have the option of spending $150 and get a shiny new card with improved performance if you so desire.
 
Mar 16, 2011
6,492
0
680
Yeah honestly I don't think I have ever seen a password reset that doesn't require email verification other then Sony's. Was probably a bad idea from the get go.
 

test_account

XP-39C²
Mar 22, 2007
23,612
2
1,130
Combichristoffersen said:
If it's been a vulnerability since PSN first opened, without Sony doing anything to fix it even though it's been known to people, I'm completely lost for words.
I dont think that it can been a wide known issue at least, otherwise i'm sure Sony would have picked up this problem earlier.


By the way, does Sony (and Microsoft and Nintendo as well for that matter) have a dedicated email adress where you can report exploits etc.? I assume that contacting the general customer support over things like this isnt the fastest way to get the word through at least.
 

Zoe

Member
Jan 3, 2007
45,101
2
1,075
39
Austin
MTMBStudios said:
Yeah honestly I don't think I have ever seen a password reset that doesn't require email verification other then Sony's. Was probably a bad idea from the get go.

It does require email verification if the account's not activated on the PS3.

The issue is that there's a web server exploit. I wouldn't be surprised if there are exploits for other companies out there that use similar recovery methods.
 

Massa

Member
Jan 16, 2009
16,846
1
0
MTMBStudios said:
Yeah honestly I don't think I have ever seen a password reset that doesn't require email verification other then Sony's. Was probably a bad idea from the get go.

No, the new system (post PSN hack) requires e-mail verificaiton. The problem is that the verification code that is supposed to be sent to the e-mail account is somehow visible to the person that made the request as well.
 

test_account

XP-39C²
Mar 22, 2007
23,612
2
1,130
MTMBStudios said:
Yeah honestly I don't think I have ever seen a password reset that doesn't require email verification other then Sony's. Was probably a bad idea from the get go.
Original it does require email verification, but there was a way around this somehow.
 

scoobs

Member
Aug 8, 2007
8,214
0
1,030
Funny that all these outside security companies didn't notice this. Really wild situation
 
Mar 16, 2011
6,492
0
680
Zoe said:
It does require email verification if the account's not activated on the PS3.

The issue is that there's a web server exploit. I wouldn't be surprised if there are exploits for other companies out there that use similar recovery methods.
It's not an "exploit". It's a very loose password recovery system that has been there forever. I repeat, the online website has NEVER REQUIRED EMAIL VERIFICATION to password reset.
 

Mithos

Member
Apr 26, 2006
6,261
704
1,565
Sweden
Zoe said:
Only if Sony doesn't have this fixed when the restore page comes back up.
You would still receive the notification emails, however, and they instruct you to contact support if your password was changed on you.

Yeah, but its mind boggling that they somehow missed this when spending almost 4 weeks fixing PSN. Gonna follow Wario64's tip and create new email addresses to use with my PSN-accounts.
 

HaRyu

Unconfirmed Member
Nov 7, 2007
3,247
0
0
larvi said:
Well, you shouldn't be using that as a criticism of PC hardware then since it's your choice. That's where PCs have the advantage is in upgrade options, rather than spending $150 to replace/refurbish several year old technology you have the option of spending $150 and get a shiny new card with improved performance if you so desire.

That's deviating from the point I was trying to make... and it figures that it would look like I'm trying to say PS3 is better than PC... awkward...

Anyway, the point I was trying to make that paying $150 to fix out of warranty PS3 is no different than spending that much money fixing/replacing out of warranty PC parts.
 

MalboroRed

Banned
Jan 2, 2011
1,032
0
0
Metalmurphy said:
This is a continuation on this story:
http://www.neogaf.com/forum/showthread.php?t=430519

First, to avoid unnecessary panic, let me just say that Sony already took the page down, and are most likely fixing it, and if you were a victim of this, you would get an email warning someone had changed your password, so if you didn't, you're safe.


Now to the whole story:
This guy on twitter ( http://twitter.com/#!/Nyleveia ) was claiming there was an exploit on the password recovery page that allowed anyone with a matching PSN login address and Date of Birth could change your password without you confirming it. Personally I didn't believe him so I gave him my login and dob. He didn't reply for a long time so I went to sleep. This morning however I got these 2 emails.
The first one is saying that someone had requested to change my password, and that I needed to click the confirmation link to continue. All normal for now, supposedly only people with access to the login address can change it then. HOWEVER the second email is a confirmation that the password was changed and I never clicked the confirmation link... So yeah... my password was successfully changed by someone else.


And where the story gets even more interesting is that Sony are just lying about it. This is their latest tweets.


Improve email process my ass. They took the password recovery page down because of this problem. Nyleveia warned about it, as confirmed by the latest tweet:

(the tweets warning about the exploit were removed, most likely cause Sony asked him to)

And now they're fixing the problem.

Honestly, I was never bothered by the original hack, no network is secure and I think Sony wasn't to blame and that they handled the entire thing by the book and quite well. This however... this is 100% on them, and what bothers me the most is that they're lying about it.

You gave a stranger your login and DOB? So do you know your password after it has been changed by that stranger?
 

Luckyman

Banned
Apr 30, 2006
4,688
0
0
alphaNoid said:
At this point I don't blame people for jumping ship, or at least refusing to use PSN services going forward. Clearly the network still isn't secure.

Just put fake info and use PSN cards
 

Zoe

Member
Jan 3, 2007
45,101
2
1,075
39
Austin
MTMBStudios said:
It's not an "exploit". It's a very loose password recovery system that has been there forever. I repeat, the online website has NEVER REQUIRED EMAIL VERIFICATION to password reset.

exploit definition
security
A security hole or an instance of taking advantage of a security hole.

You are expected to use the recovery link that is emailed to you. Circumventing that is not a feature, it is an exploit. It is using the recovery system in a way that was not intended.
 

test_account

XP-39C²
Mar 22, 2007
23,612
2
1,130
MTMBStudios said:
It's not an "exploit". It's a very loose password recovery system that has been there forever. I repeat, the online website has NEVER REQUIRED EMAIL VERIFICATION to password reset.
Out of curiousity, how did that work? Lets say i forgot my PSN password, went to Sony's site, wrote in my PSN email address and chose "forgot password". What would happened next if there was no email verification?
 
Sep 3, 2006
24,347
0
1,505
Zoe said:
What do you mean?
Well, I changed my pw right after PSN went back online.
But now with this exploit that they only need your nickname an email, would it even make sense to change the pw again or do I need to set up a new email, too?
 

Combichristoffersen

Combovers don't work when there is no hair
Jun 26, 2009
23,334
2
1,030
Norway
test_account said:
I dont think that it can been a wide known issue at least, otherwise i'm sure Sony would have picked up this problem earlier.

Doesn't really matter if it wasn't a widely known security hole, if people knew about it, Sony must've known about it themselves, considering they're the ones who set up and run the PSN service. And if Sony knew about this security hole without doing anything about it.. smh. What a bumblefuck.
 

HaRyu

Unconfirmed Member
Nov 7, 2007
3,247
0
0
test_account said:
Out of curiousity, how did that work? Lets say i forgot my PSN password, went to Sony's site, wrote in my PSN email address and chose "forgot password". What would happened next if there was no email verification?

If you hit the "Forgot Password" link, the next page you see is the recovery page, asking for the email address to the account, and your DOB.

After you enter that information, the next page will ask how do you want to reset your password.

When I tried it yesterday, it only gave me one choice "change via email". I'm assuming there might be more than one choice, and I assume that's the exploit people are using, getting that other choice to appear in the menu.
 

Massa

Member
Jan 16, 2009
16,846
1
0
Patrick Bateman said:
Well, I changed my pw right after PSN went back online.
But now with this exploit that they only need your nickname an email, would it even make sense to change the pw again or do I need to set up a new email, too?

You don't need to do anything, Sony took the affected site offline. On the slim chance someone hacked your account you should have received an e-mail about it and be unable to use your account from your PS3 or PSP, as it would have a different password.
 
Mar 16, 2011
6,492
0
680
test_account said:
Out of curiousity, how did that work? Lets say i forgot my PSN password, went to Sony's site, wrote in my PSN email address and chose "forgot password". What would happened next if there was no email verification?
When the website was up and running there was two options if I remember correctly when you click "forgot password". There was
1. Send reset password email.
2. Change via website.

Clicking 1 would send the password reset email the OP got.
Clicking 2 would ask for email and dob, and entering those would let you change the password ON THE SITE. Its explicit.

It's not an exploit. It has always been this way on purpose. Or atleast that page used to be there. The only reason this is an issue now is because the hackers most likely have DOB, so now they HAVE to change it.
 

HaRyu

Unconfirmed Member
Nov 7, 2007
3,247
0
0
MTMBStudios said:
When the website was up and running there was two options if I remember correctly. There was
1. Send reset password email.
2. Change via website.

Clicking 1 would send the password reset email the OP got.
Clicking 2 would ask for email and dob, and entering those would let you change the password ON THE SITE.

It's not an exploit. It has always been this way on purpose. Or atleast that page used to be there.

I never got the 2nd choice when I tried messing around w/ it yesterday.
 

HaRyu

Unconfirmed Member
Nov 7, 2007
3,247
0
0
MTMBStudios said:
I assume the page probably still exists in some form perhaps and these people still had a link to it maybe.

I mentioned that a few posts up, I assume the exploit somehow involves getting that 2nd choice to pop up.
 

Evlar

Banned
Dec 22, 2006
14,386
1
0
MTMBStudios said:
When the website was up and running there was two options if I remember correctly. There was
1. Send reset password email.
2. Change via website.

Clicking 1 would send the password reset email the OP got.
Clicking 2 would ask for email and dob, and entering those would let you change the password ON THE SITE. Its explicit.

It's not an exploit. It has always been this way on purpose. Or atleast that page used to be there. The only reason this is an issue now is because the hackers most likely have DOB, so now they HAVE to change it.
Huh. Interesting.
 

Persona7

Banned
Sep 24, 2007
30,521
2
0
Oregon
FirstInHell said:
Guys it's a security flaw, but it's been there since the beginning so it's ok.
how is a security flaw ok?


Also when is sony going to allow the change of secret questions for PSN?
 

webrunner

Member
Jan 19, 2007
4,688
0
0
antihero.keenspot.com
MTMBStudios said:
When the website was up and running there was two options if I remember correctly. There was
1. Send reset password email.
2. Change via website.

Clicking 1 would send the password reset email the OP got.
Clicking 2 would ask for email and dob, and entering those would let you change the password ON THE SITE. Its explicit.

It's not an exploit. It has always been this way on purpose. Or atleast that page used to be there. The only reason this is an issue now is because the hackers most likely have DOB, so now they HAVE to change it.

That is.. ridiculously insecure. I mean.. negligently so. If having such a ridiculous page anywhere near your system isn't illegal then I wonder what the hell security laws are for.
 

Knux-Future

Banned
Feb 26, 2008
15,771
0
0
meh....Sony incompetance is just not surprising anymore.


We need to them admit to hacking it themsleves now.

Step your fail game up, Sony.


but seriously the store needs to get fixed soonish....my 360 was a piece of shit so I back to one ( technically 2 with the wii...which Nintendo has left to die) console man. I need my moe fighter, Sony.
 
Status
Not open for further replies.