• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Sony had an exploit on their PSN password recovery page and is now fixed

Status
Not open for further replies.

gofreak

GAF's Bob Woodward
Rather frightening that this could slip through (supposedly) multiple independent audits by external experts. I guess it goes to show that perfect processes don't exist.

I guess the only silver lining here is that the people who exposed the exploit appear to be white-hat, and I presume little if any damage was done as a result. Sony's under a microscope at the moment, but that's no bad thing for the longer term security of PSN.
 

HaRyu

Unconfirmed Member
TTP said:
Can you elaborate a bit about the procedure without giving too much away? I'm just curious about it.

The article didn't detail the procedure obviously, but they gave some hints.

Specifically, they posted a link about the reset token, then they followed it up w/ a line that more or less said "when this is used in conjunction w/ another address/link".

I figured if someone dicked around a bit on the website, one could accidentally stumble upon the correct procedure. Like I said, after a few minutes, I had a sudden feeling of "Oh shit, if Sony someone is able to trace this, I'm going to be locked out of my own PSN account", so I stopped at that point. :p

Oh and to clarify, I'm not a hacker-type of person. To me, this seems more on the levels of "any schmuck can probably figure this out". And hey, I have schmuck-level hacking skills, so I figured, what the hell.
 

iapetus

Scary Euro Man
V_Arnold said:
Oh, I would hire Geohot if I were a Sony executive. Then I would make sure he gets his lunch, his lunch money and his credit card data stolen EVERY FUCKING DAY so he has to beg his coworkers for some food.

Except, of course, he wasn't stupid enough to open a PSN account, so he's actually safe from Sony's incompetence.
 

mujun

Member
expy said:
Least they don't prevent you from playing retail games with a firmware update.

hehe

I love the way that no matter how big Sony screw up you'd find a way to tell us that MS is worse.
 

Curufinwe

Member
iapetus said:
Except, of course, he wasn't stupid enough to open a PSN account, so he's actually safe from Sony's incompetence.

I thought it was still disputed whether the blickmanic PSN account belonged to him, and we never found out for sure because the case was settled.
 

HaRyu

Unconfirmed Member
mujun said:
I love the way that no matter how big Sony screw up you'd find a way to tell us that MS is worse.

And watch, he just jinxed us Sony owners... next firmware update, it borks everyone's machines.

*shakes fist* CURSE YOU EXPY!
 
One clarification, I think the red square isn't the new password. It might be the name on my accuont, it's just that when I created the account I probably used some random name that I don't remember and I thought it would have been the new password.

But there's a space in the middle, and PSN passwords don't allow spaces.
 

Zoe

Member
Metalmurphy said:
One clarification, I think the red square isn't the new password. It might be the name on my accuont, it's just that when I created the account I probably used some random name that I don't remember and I thought it would have been the new password.

But there's a space in the middle, and PSN passwords don't allow spaces.

Yes, that's your name + "sama"
 

EagleEyes

Member
mujun said:
I love the way that no matter how big Sony screw up you'd find a way to tell us that MS is worse.
Please don't give that poster any more attention. It's what he lives for apparently.
 

Fersis

It is illegal to Tag Fish in Tag Fishing Sanctuaries by law 38.36 of the GAF Wildlife Act
I know that you could bypass some of the password security by changing 'security' by 'reset' in an URL or something like that.
Thats how i had to reset my password.

I just had to put my Date of Birth and mail and BAM! New Password.
 

brentech

Member
Fersis said:
I know that you could bypass some of the password security by changing 'security' by 'reset' in an URL or something like that.
Thats how i had to reset my password.

I just had to put my Date of Birth and mail and BAM! New Password.
Saw you post that as help in the prior thread. Didn't realize it actually bypassed security questions.

Next thing we'll find out is they didn't string-escape their input fields and people took over entire databases! lol

NOT SAYING IT HAPPENED, JUST A JOKE. =P
 

Hanmik

Member
test_account said:
So this only potenially affected people who hadnt rested their password? What about those who had rest their password?

as far as I know, it only affected people who TOLD other people the email to their PSN account, and the Birthdate they used when they signed up for that PSN-account..

Because you needed those two things to do this "hack".. but maybe people are thinking that the "original psn hackers" have this info..
 

Fersis

It is illegal to Tag Fish in Tag Fishing Sanctuaries by law 38.36 of the GAF Wildlife Act
test_account said:
So this only potenially affected people who hadnt rested their password? What about those who had rest their password?
If you reseted your password youre cool.
The thing was to make SONY to send you a 'password' reset email, then youll change some of the URL and bam!
If you have a new password they dont send you a mail with the URL.

At least thats how i think it works. ITS NOT A FACT KOTAKU!

brentech said:
Saw you post that as help in the prior thread. Didn't realize it actually bypassed security questions.

Next thing we'll find out is they didn't string-escape their input fields and people took over entire databases! lol

NOT SAYING IT HAPPENED, JUST A JOKE. =P
It was the only way to recover my account. There was no legit way for me since theres no PSN Store assigned to my country. LOL
 

DietRob

i've been begging for over 5 years.
Fersis said:
I know that you could bypass some of the password security by changing 'security' by 'reset' in an URL or something like that.
Thats how i had to reset my password.

I just had to put my Date of Birth and mail and BAM! New Password.

Fersis is the haxorz. Confirmed.
 

Fersis

It is illegal to Tag Fish in Tag Fishing Sanctuaries by law 38.36 of the GAF Wildlife Act
RbBrdMan said:
Fersis is the haxorz. Confirmed.
Dear Kotaku: If youre going to quote me name me as : Sir. Fersis McFersiston
Thanks.
 

Erebus

Member
test_account said:
So this only potenially affected people who hadnt rested their password? What about those who had rest their password?
It's irrelevant if you had reset your password or not. This exploit allows someone who knows your email and birth date to change your password without your consent.
 
expy said:
Least they don't prevent you from playing retail games with a firmware update.

hehe

Isn't that exactly what Sony did when they forced OtherOS owners to choose between a firmware update & new games or OtherOS?
 

HaRyu

Unconfirmed Member
Considering how we're on the 3rd page and all...

From what I gather, Sony was told, and they took the page that could have caused the exploit down to try and fix the issue, right?

So how is that, as the thread title implies, "Trying to hide it"?
 

brentech

Member
kurtrussell said:
Isn't that exactly what Sony did when they forced OtherOS owners to choose between a firmware update & new games or OtherOS?
You're just a junior, don't bring that shit here. It won't end well.

Warning shots fired.
 

Fersis

It is illegal to Tag Fish in Tag Fishing Sanctuaries by law 38.36 of the GAF Wildlife Act
HaRyu said:
Considering how we're on the 3rd page and all...

From what I gather, Sony was told, and they took the page that could have caused the exploit down to try and fix the issue, right?

So how is that, as the thread title implies, "Trying to hide it"?
SONY took down all the pages that could lead to the 'haxxz'
Theyre hiding it by not confirming that this is the reason why they took down the websites.
 

Hanmik

Member
HaRyu said:
Considering how we're on the 3rd page and all...

From what I gather, Sony was told, and they took the page that could have caused the exploit down to try and fix the issue, right?

So how is that, as the thread title implies, "Trying to hide it"?

they are not telling us what they are doing.. only saying "maintenance"... does that sound familiar..? ;o)
 
gofreak said:
Rather frightening that this could slip through (supposedly) multiple independent audits by external experts. I guess it goes to show that perfect processes don't exist.

I guess the only silver lining here is that the people who exposed the exploit appear to be white-hat, and I presume little if any damage was done as a result. Sony's under a microscope at the moment, but that's no bad thing for the longer term security of PSN.
Nylevia are good people. One of them (or some of them) do the Aniom themes for PS3.
 
HaRyu said:
Considering how we're on the 3rd page and all...

From what I gather, Sony was told, and they took the page that could have caused the exploit down to try and fix the issue, right?

So how is that, as the thread title implies, "Trying to hide it"?

This is the explanation they gave for the site being down

"Fortunately we have got ISPs to release outstanding emails; unfortunately, a small amount of maintenance is required to improve this process"
 

test_account

XP-39C²
Hanmik said:
as far as I know, it only affected people who TOLD other people the email to their PSN account, and the Birthdate they used when they signed up for that PSN-account..

Because you needed those two things to do this "hack".. but maybe people are thinking that the "original psn hackers" have this info..
Fersis said:
If you reseted your password youre cool.
The thing was to make SONY to send you a 'password' reset email, then youll change some of the URL and bam!
If you have a new password they dont send you a mail with the URL.

At least thats how i think it works. ITS NOT A FACT KOTAKU!
Ok, thanks :) By the way, dose that mean that the password reset url had visible email and birthdate in it?

Also, is there a way to figure out which birthday you have registered on PSN? I checked my PSN email from when i registered my account, but it doesnt mention any birthdate there. Since i used fake name and adress, i'm pretty sure that i used a fake birthdate as well.


EDIT:

DarkUSS said:
It's irrelevant if you had reset your password or not. This exploit allows someone who knows your email and birth date to change your password without your consent.
Are you sure? Have someone tested this? I'm not that worried though, but i'm still wondering about it.
 

Ellis Kim

Banned
Seriously, no kidding. I'm really glad they were white hat.

Does anyone still use "hacker" and "cracker" to differentiate? Is that still a thing being pushed? I can never get myself to accept "cracker" as black hat, at least not with the racial nomenclature that its had slapped onto it.
 
it's a good thing NeoGAF isn't like so many forums out there that have a wealth of information displayed on user pages like birthdate and email...

so many other forums have all that stuff listed and have those 'HAPPY BIRTHDAY TO ____' things up etc...
 

HaRyu

Unconfirmed Member
Fersis said:
SONY took down all the pages that could lead to the 'haxxz'
Theyre hiding it by not confirming that this is the reason why they took down the websites.

Doh... didn't catch the last part in the OP.

Never mind. :p
 

TTP

Have a fun! Enjoy!
So I just applied for a password change on my US account, and since my PS3 is not active under that account I've got the confirmation link, which looks like this:

store.playstation.com/accounts/security/resetPassword.action?token=*

So I see the link in the OP has a slightly different URL.

It says
...reset/resetPassword.action...

instead of
...security/resetPassword.action...

Guess this is what Fersis was talking about.

I do wonder how one can get that URL and change it without having access to the recipient email.
 
kurtrussell said:
Isn't that exactly what Sony did when they forced OtherOS owners to choose between a firmware update & new games or OtherOS?

This plus your avatar and junior status means you aren't going to last long here...
 

Erebus

Member
test_account said:
EDIT:


Are you sure? Have someone tested this? I'm not that worried though, but i'm still wondering about it.
That's how I understand it. Metalmurphy handed his login email and birth date to these people and his password on that specific PSN account was changed. He even received the automated email from Sony informing him about the password change.
 

larvi

Member
Great, and the DoB was the one thing that it doesn't appear I can change in my profile. I changed my other personal information to bogus info but couldn't figure out how to change that. Does anyone know a way to do it?
 
Hold on. If you had to click on the link that was sent to your email - of which only you have access to - then how was that done?

Have I missed something here?
 

Angry Fork

Member
Everything is exploitable. All the hackers are probably pooling their resources into finding every possible Sony one. I'm not surprised if they find more. If all these hackers put all their efforts into doing the same for Microsoft I bet they'd find exploits there as well.
 

XiaNaphryz

LATIN, MATRIPEDICABUS, DO YOU SPEAK IT
test_account said:
Are you sure? Have someone tested this? I'm not that worried though, but i'm still wondering about it.
Read through the thread man and get caught up! Only took me 5 min. ;P
 
This is hardly encouraging... How did they not discover this exploit before some guy on the internet? Thank god it was a good guy.

Doubt I'll ever feel comfortable having personal information and software licenses linked to my PSN account.
 
MarkMclovin said:
Hold on. If you had to click on the link that was sent to your email - of which only you have access to - then how was that done?

Have I missed something here?

That's the exploit. They managed to do it by manually changing the URL or something, without need to click the confirmation link that was only sent to the email.
 

test_account

XP-39C²
DarkUSS said:
That's how I understand it. Metalmurphy handed his login email and birth date to these people and his password on that specific PSN account was changed. He even received the automated email from Sony informing him about the password change.
I see. If that is the case, then it is pretty crazy, being able to change anyone's PSN password just by using Sony's own website. It will probably not be a big problem in general since you need the date of birth info to be able to do it, and Sony will most likely fix it now, but still.
 
Angry Fork said:
Everything is exploitable. All the hackers are probably pooling their resources into finding every possible Sony one. I'm not surprised if they find more. If all these hackers put all their efforts into doing the same for Microsoft I bet they'd find exploits there as well.
yeah, i'm sure nobody is putting any effort into hacking microsoft's passport.net system that holds probably 500 million accounts for xbox live, windows live, hotmail, expedia, skydrive, etc... who would want that!?
 

TTP

Have a fun! Enjoy!
MarkMclovin said:
Hold on. If you had to click on the link that was sent to your email - of which only you have access to - then how was that done?

Have I missed something here?

Going by the identical time stamps of the two emails, I guess it was done "remotely" and perhaps automatically (that is, without the remote person actually getting the verification email).
 

larvi

Member
Angry Fork said:
Everything is exploitable. All the hackers are probably pooling their resources into finding every possible Sony one. I'm not surprised if they find more. If all these hackers put all their efforts into doing the same for Microsoft I bet they'd find exploits there as well.

Microsoft has been a prime target for hackers for since back in the the MSDos days.
 
Status
Not open for further replies.
Top Bottom