• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
  • The Politics forum has been nuked. Please do not bring political discussion to the rest of the site, or you will be removed. Thanks.

Sony had an exploit on their PSN password recovery page and is now fixed

Status
Not open for further replies.

Zoe

Member
Jan 3, 2007
45,101
2
1,075
39
Austin
webrunner said:
That is.. ridiculously insecure. I mean.. negligently so. If having such a ridiculous page anywhere near your system isn't illegal then I wonder what the hell security laws are for.

What are these security laws you speak of?
 
Mar 16, 2011
6,492
0
680
webrunner said:
That is.. ridiculously insecure. I mean.. negligently so. If having such a ridiculous page anywhere near your system isn't illegal then I wonder what the hell security laws are for.
I think I have seen other sites with lax/weird password recovery, just not on a service in which you could possibly put money on it.

Also I mean the chances of your account being stolen in this time are no different from any other time in history (unless the hackers with the data dump specifically targeted your account).
 

Metalmurphy

Member
Jan 17, 2007
32,670
1
0
Portugal
steamcommunity.com
MTMBStudios said:
When the website was up and running there was two options if I remember correctly when you click "forgot password". There was
1. Send reset password email.
2. Change via website.

Clicking 1 would send the password reset email the OP got.
Clicking 2 would ask for email and dob, and entering those would let you change the password ON THE SITE. Its explicit.

It's not an exploit. It has always been this way on purpose. Or atleast that page used to be there. The only reason this is an issue now is because the hackers most likely have DOB, so now they HAVE to change it.


This is incorrect!!!

When you choose to reset the password it asks you for your the login address and your date of birth. Then it sends you an email with an verification link, only AFTER you press that verification link the password is changed. So supposedly only people with access to the email would be able to change it.

The problem is that this exploit allowed them to bypass or access the verification link and change the password even without access to the email.
 

Luckyman

Banned
Apr 30, 2006
4,688
0
0
I want to see custom firmware pushed through PSN. It would then use millions on PS3s ddos random Sony services for lulz
 

Zombie James

Banned
Dec 28, 2005
46,216
5
0
It was easy enough changing the email address associated with my account to one of my other other ones, so I'm not sweating this. At least they were quick(er) to respond.
 
Mar 16, 2011
6,492
0
680
Metalmurphy said:
This is incorrect!!!

When you choose to reset the password it asks you for your the login address and your date of birth. Then it sends you an email with an verification link, only AFTER you press that verification link the password is changed. So supposedly only people with access to the email would be able to change it.

The problem is that this exploit allowed them to bypass or access the verification link and change the password even without access to the email.
Nah, I am 100% certain at some point I was able to change the password on site, and DOB wasnt required for email veri.
 
Mar 16, 2011
6,492
0
680
The person clicked the first to send it by accident. Then he clicked the second option and just changed it on site. How long ago did you check the site?
 

Zoe

Member
Jan 3, 2007
45,101
2
1,075
39
Austin
It looks like this may have been what happened:

- There were previously two ways to reset your password via web, one did not require a verification email
- These were consolidated into one option that does require a verification email
- The previous option was not properly removed from the web server allowing people to circumvent the verification email

This is all speculation.
 

Zzoram

Member
Apr 17, 2007
33,493
0
0
FirstInHell said:
Guys it's a security flaw, but it's been there since the beginning so it's ok.

Pathetic. Sony took down PSN for almost a month to fix security problems, and the launch is immediately hampered by a security problem?
 

Malio

Member
May 5, 2009
2,300
252
1,080
Ohio
What the hell happened to Sony?

PS2 was great and all, but christ guys. Use some of that cash to hire network people with a clue or something, hunh?
 

HaRyu

Unconfirmed Member
Nov 7, 2007
3,247
0
0
Mmm... how hard would it be to fake being a "trusted PC" for Windows Live? You can change reset your password through the web on their site.
 

test_account

XP-39C²
Mar 22, 2007
23,612
2
1,130
Combichristoffersen said:
Doesn't really matter if it wasn't a widely known security hole, if people knew about it, Sony must've known about it themselves, considering they're the ones who set up and run the PSN service. And if Sony knew about this security hole without doing anything about it.. smh. What a bumblefuck.
It matters since if it is a widely known security hole, then it is much easier to know about it, not only among hackers, but also among the companies. If there is an exploit that maybe only a handfull of people know about in secrecy, then it is a bigger chance that the exploit will be available for a longer period of time.

But what i ment is that if it was a widely known problem, then i'm sure that Sony would have fixed it a long time ago. And if it was this easy to hijack someone's PSN account for years, then i think that PSN account hijacking would have been a much bigger problem than what it has been.


HaRyu said:
If you hit the "Forgot Password" link, the next page you see is the recovery page, asking for the email address to the account, and your DOB.

After you enter that information, the next page will ask how do you want to reset your password.

When I tried it yesterday, it only gave me one choice "change via email". I'm assuming there might be more than one choice, and I assume that's the exploit people are using, getting that other choice to appear in the menu.
Ok, i see. I think that it is very wierd if e-mail and DOB is all that was needed though, since these things are not concidered as sensitive information in my opinion, especially not in these "Facebook days".


MTMBStudios said:
When the website was up and running there was two options if I remember correctly when you click "forgot password". There was
1. Send reset password email.
2. Change via website.

Clicking 1 would send the password reset email the OP got.
Clicking 2 would ask for email and dob, and entering those would let you change the password ON THE SITE. Its explicit.

It's not an exploit. It has always been this way on purpose. Or atleast that page used to be there. The only reason this is an issue now is because the hackers most likely have DOB, so now they HAVE to change it.
Are you absolutely sure about this? I don't mean any offence at all, but i just find it hard to belive that all you needed was the email adress and date of birth to be able to change the password. As i mentioned above here, i dont concider email and DOB as really sensitive information, so i find it hard to belive this was all that it took to change someone's PSN password and that this was possible for years. But i never checked it out myself and i'm not saying that you're lying just to underline that, i just find it hard to belive.

EDIT: Nevermind what i wrote in my edit, it was wrong :)
 

dsp

Member
Sep 29, 2010
1,073
18
770
I didn't have to confirm anything through e-mail when I changed my password. I thought that was really strange. Then I thought about how easy it would be to steal anyone's account. By the end of the night I just assumed I was losing my mind, convincing myself that at some point I did confirm the password change because no one could let such a noticeable exploit pass under the radar. Now I see this thread... I feel a lot better about myself.
 

larvi

Member
Jul 6, 2007
3,569
0
0
test_account said:
EDIT: Come to think of it, if this method was used and if you knew an email adress that was used for a PSN account, you could get the password in maximum 365 guesses. That is really insecure.

The DoB doesn't require a year, only month/day?
 

MechDX

Member
Feb 22, 2007
46,899
0
0
AbsoluteZero said:
I never even got around to changing my password when PSN went back up. How fucked am I? lol


Same here.

What in the bloody hell is going on?
 

Konosuke

Member
Oct 13, 2009
4,375
0
895
This is getting embarrassing now for Sony. I just got home and saw this. To clarify, you are compromised if you receive two e-mails right? One with a link and another without, correct?

I'm asking this since I checked the e-mail I used for my secondary US account and I received this e-mail yesterday:

DoNotReply@ac.playstation.net [DoNotReply@ac.playstation.net said:
This e-mail confirms that the password for your PlayStation(R)Network Account has been changed.

If you did not intend to change your password, contact Consumer Services for further assistance.

http://www.us.playstation.com/corporate/contactus/


Thank you.

The PlayStation(R)Network Team


--------------------------------------------------------------------------
For answers to frequently asked questions and information about PlayStation(R)Network terms and policies, please visit the links below.

Terms of Service / User Agreement and Privacy Policy:
http://www.us.playstation.com/TermsOfUse

This e-mail message has been delivered from a send-only address. Please do not reply to this message. If you have any questions, contact Consumer Services using the link below.
http://www.us.playstation.com/corporate/contactus/

The thing is, I don't have the e-mail with a link in it, just this one. I'm not sure if I changed the password yesterday or Monday. Am I safe GAF?
 

Zoe

Member
Jan 3, 2007
45,101
2
1,075
39
Austin
You guys can still change it via the PS3 as long as it's activated on there and no one has hijacked your account.


Konosuke said:
This is getting embarrassing now for Sony. I just got home and saw this. To clarify, you are compromised if you receive two e-mails right? One with a link and another without, correct?

You get two emails if you reset your password via the website. If you do it on the PS3, you only get the final confirmation.

Emails were slow to go out because there are so many password change requests.
 

HaRyu

Unconfirmed Member
Nov 7, 2007
3,247
0
0
Konosuke said:
This is getting embarrassing now for Sony. I just got home and saw this. To clarify, you are compromised if you receive two e-mails right? One with a link and another without, correct?

I'm asking this since I checked the e-mail I used for my secondary US account and I received this e-mail yesterday:



The thing is, I don't have the e-mail with a link in it, just this one. I'm not sure if I changed the password yesterday or Monday. Am I safe GAF?


If your password was changed, you shouldn't even be able to login to PSN. Did you check?
 

Metalmurphy

Member
Jan 17, 2007
32,670
1
0
Portugal
steamcommunity.com
MTMBStudios said:
I think it may have required secret password to change on-site, maybe? Uhhh, anyway I found this:

http://www.mombu.com/games/playstation/t-playstation-network-accounts-are-not-safe-1463930-last.html

I'm still pretty sure at some point I was able to change the password on-site with just the dob and email and thinking that was weird.

I think you're mixing stuff up.

Changing password != Password recovery

If you have access to your account then ofcourse you can change it on the site. It just asks you to type your password 2 times. You still get an email warning it was changed but no confirmation link.

But using the Password recovery site it asks for date of birth and then sends an email with the confirmation link before allowing you to change it.


These people DID NOT have access to my account. Only the email address and the DOB.
 
Mar 16, 2011
6,492
0
680
No I am explicitly talking about password recovery via "forgot password" link. I assume they may have changed it after the attack, but before the attack there was a "change on site" option with no email veri required. What that actually required I am not sure.
 

AbsoluteZero

Banned
Oct 20, 2010
9,090
0
0
Southeastern Louisiana
Konosuke said:
This is getting embarrassing now for Sony. I just got home and saw this. To clarify, you are compromised if you receive two e-mails right? One with a link and another without, correct?

I'm asking this since I checked the e-mail I used for my secondary US account and I received this e-mail yesterday:



The thing is, I don't have the e-mail with a link in it, just this one. I'm not sure if I changed the password yesterday or Monday. Am I safe GAF?

I submitted a change password request via the account management website but I was slow to get the confirmation e-mail. By the time I noticed it the link had died (I think it deactivates itself after 24 hours or something)

Here's hoping I'm not too much more fucked than usual. I forsee some guy buying a bunch of stuff on my account.
 

Metalmurphy

Member
Jan 17, 2007
32,670
1
0
Portugal
steamcommunity.com
Konosuke said:
This is getting embarrassing now for Sony. I just got home and saw this. To clarify, you are compromised if you receive two e-mails right? One with a link and another without, correct?

I'm asking this since I checked the e-mail I used for my secondary US account and I received this e-mail yesterday:



The thing is, I don't have the e-mail with a link in it, just this one. I'm not sure if I changed the password yesterday or Monday. Am I safe GAF?

Did you change it on the PS3? If so then you obviously won't have a confirmation link.
 

test_account

XP-39C²
Mar 22, 2007
23,612
2
1,130
MTMBStudios said:
I think it may have required secret password to change on-site, maybe? Uhhh, anyway I found this:

http://www.mombu.com/games/playstation/t-playstation-network-accounts-are-not-safe-1463930-last.html

I'm still pretty sure at some point I was able to change the password on-site with just the dob and email and thinking that was weird.
Thanks for the link :) From what i understand in that link, you also need to know the secret-question answer as well. That is more secure at least. But even so, i think that any password recovery should only be done through email verification regardless.


larvi said:
The DoB doesn't require a year, only month/day?
Doh, my mistake, sorry :) Not sure how i forgot that year was also required. I will edit my previous post now, thanks for pointing that out =)
 

Massa

Member
Jan 16, 2009
16,846
1
0
dsp said:
I didn't have to confirm anything through e-mail when I changed my password. I thought that was really strange. Then I thought about how easy it would be to steal anyone's account. By the end of the night I just assumed I was losing my mind, convincing myself that at some point I did confirm the password change because no one could let such a noticeable exploit pass under the radar. Now I see this thread... I feel a lot better about myself.

You don't need e-mail confirmation if you do it from a PS3 that already had that account activated, in which case the PS3 itself is the verification.
 

Konosuke

Member
Oct 13, 2009
4,375
0
895
HaRyu said:
If your password was changed, you shouldn't even be able to login to PSN. Did you check?
Zoe said:
You guys can still change it via the PS3 as long as it's activated on there and no one has hijacked your account.
You get two emails if you reset your password via the website. If you do it on the PS3, you only get the final confirmation.

Emails were slow to go out because there are so many password change requests.
Metalmurphy said:
Did you change it on the PS3? If so then you obviously won't have a confirmation link.

I did it on the PS3 and I can log in, thanks guys, I'm much more calm now.
 

larvi

Member
Jul 6, 2007
3,569
0
0
test_account said:
Doh, my mistake, sorry :) Not sure how i forgot that year was also requiered. I will edit my previous post now, thanks for pointing that out =)

I was thinking along the same line originally as well. But even so, assuming 100 years of valid dates (with a high probability of them being clustered within 20 years of that) it's still easy to brute force.
 

HaRyu

Unconfirmed Member
Nov 7, 2007
3,247
0
0
test_account said:
Thanks for the link :) From what i understand in that link, you also need to know the secret-question answer as well. That is more secure at least. But even so, i think that any password recovery should only be done through email verification regardless.

Well, the key thing is that at least as of last night, there was no choice to update via the web, its unknown when Sony took that 2nd option off (or if it was only missing for me when I went there), but if you were to follow those directions to do that hack, you'd stop at at the enter birthday and email part (because there wasn't even a screen to enter the answer to a security question, it goes straight to "how do you want to reset your password").
 

Metalmurphy

Member
Jan 17, 2007
32,670
1
0
Portugal
steamcommunity.com
MTMBStudios said:
No I am explicitly talking about password recovery via "forgot password" link. I assume they may have changed it after the attack, but before the attack there was a "change on site" option with no email veri required. What that actually required I am not sure.

Don't take this the wrong way but I'm pretty sure you are mistaken. I changed my password several times and it works the way you said, BUT if I was already logged in on the account management site. Using the password recovery it would send it to the email.


I mean... if you could do it on site without the verification link then why does that second email with the verification link even exist? What other option is there.
 

test_account

XP-39C²
Mar 22, 2007
23,612
2
1,130
larvi said:
I was thinking along the same line originally as well. But even so, assuming 100 years of valid dates (with a high probability of them being clustered within 20 years of that) it's still easy to brute force.
Yeah, then you could just make a script that automatically tries every date, unless there was a CAPTCHA check after a few failed attempts, like i.e Hotmail uses. But even with a CAPTCHA, it would still be fairly easy to brute force it manually. Could perhaps be a bit time consuming, but at least it wouldnt take years to do it.


HaRyu said:
Well, the key thing is that at least as of last night, there was no choice to update via the web, its unknown when Sony took that 2nd option off (or if it was only missing for me when I went there), but if you were to follow those directions to do that hack, you'd stop at at the enter birthday and email part (because there wasn't even a screen to enter the answer to a security question, it goes straight to "how do you want to reset your password").
Yeah, i was mostly thinking about how it worked before (maybe like 2 months ago or so), when it seemed to be possible to the 2nd option :)
 

surly

Banned
Aug 13, 2009
3,094
0
0
test_account said:
Thanks for the link :) From what i understand in that link, you also need to know the secret-question answer as well. That is more secure at least.
Kotaku and a few other sites have posted the exploit in full and it's different to the one mentioned above. The answer to the secret question was not needed. It was as the guy on Twitter originally claimed - you just need the email address and date of birth.
 

Phantom Limbs

Banned
Dec 4, 2010
291
0
0
....so should I just go ahead and get the 360 version of L.A. Noire now? I was all set to go out today and get the PS3 version.
 

dorkimoe

Member
Aug 19, 2007
11,361
4,393
1,640
Zeouterlimits said:
Surprising and annoying that this hole a) existed b) was not discovered in their post-fall security review.

Kudos to Nyleveia though, for finding it and informing Sony.
Yeah it's a shame one of the companies getting paid tons to do it didn't find it.
 

HaRyu

Unconfirmed Member
Nov 7, 2007
3,247
0
0
Phantom Limbs said:
....so should I just go ahead and get the 360 version of L.A. Noire now? I was all set to go out today and get the PS3 version.

Brain... hurts...
 
Status
Not open for further replies.