Support NeoGAF

[ghst]

And if the graphics card in your PC dies... you're going to be spending less than $150 to replace it?

PC gaming is too expensive for me, only because I have bad luck w/ hardware... I keep killing my graphics cards every 6 months. And I buy the $180+ cards usually.

boy are you gonna be pissed when you find out about RMAs.

 

[Mithos]

So what if I have already changed my passwords like 5 minutes after PSN started up, could they still change the password AGAIN for me if they wanted?

Can still login to PSN on the PS3 using the new password I made at the time of PSN resurrection.

 

[Massa]

I know this, but there was some confusion among others about it. But the PSN+ offer was touted as providing 'free games' by some, which isn't the case (see them as a free rental, I guess...)

They most definitely are free games. Just like the games I play on my web browser for free are free even if they're taken offline tomorrow.

Technically, I suppose, people are granted a license to use the game which expires unlike the license they normally get when they directly pay for the game. In neither case do they "own" the software (instead, own a license to use it), but in both cases they get to play it in its entirety.

 

[FirstInHell]

Are we going to keep track of all the people who are jumping ship so we can call them trolls later?

Which reminds me, whatever happened to that guy who sold two PS3s and 45 games? Did he have a 3rd PS3?

Sold them all!

 

[AcceptableGhost]

So this has been around since the beginning?

Makes sense that it wasn't caught then.

If I knew your email and DOB I could have taken control of your account since the online sites creation. It has always been like this. It's kinda bad the media is probably gonna blow this up when arguably its always been a problem.

 

[Zoe]

So what if I have already changed my passwords like 5 minutes after PSN started up, could they still change the password AGAIN for me if they wanted?

Can still login to PSN on the PS3 using the new password I made at the time of PSN resurrection.

Only if Sony doesn't have this fixed when the restore page comes back up.

You would still receive the notification emails, however, and they instruct you to contact support if your password was changed on you.

 

[Uno Venova]

Jesus Sony. Well good thing I changed the email as soon as I heard the news.

 

[alphaNoid]

At this point I don't blame people for jumping ship, or at least refusing to use PSN services going forward. Clearly the network still isn't secure.

 

[test_account]

I thought this was kind of lazy when I noticed it a long time ago (so on my alt accounts I used fake DOBs). How is it no one noticed this on the internet? This isn't some huge debacle, they are going to make the site require email verification (like it should) or make you change your email. I mean honestly people's friends/anyone could have stolen your accounts SINCE THE BEGINNING of PSN if they knew your date of birth.

How long is "a long time ago"?

EDIT: Already asked. I guess i should have updated the page before i posted =)

 

[AcceptableGhost]

At this point I don't blame people for jumping ship, or at least refusing to use PSN services going forward. Clearly the network still isn't secure.

Yeah, people should jump ship... over a weird password reset feature that has been there since the beginning of PSN?

I noticed it roughly about a year or two ago when I had to reset a password.
Edit: I just checked, I noticed this about 1/20/2010 when I had an incident on my account. I guess I should have mentioned it to people, cause apparently no one else did.

 

[Art Teitlebaum]

What's going on in Sony.

No, seriously. what is going on in there?

It is now a real Comedy of Errors. Always if you think there couldn't be any more embarrassment there is a new low point.

I'm beginning to feel pity for them, seriously.

 

[HaRyu]

What are you doing to your GPUs? :| I've got a GeForce 6200 in my old desktop PC, shit's over 5 years old by now, but it's still working just fine

Room gets practically no AC, temps inside the old computer got insanely hot, live in Florida...
Its fine during the cold months, but hell, computer pretty much was useless during hot weather.
I also have to point out that CIVILIZATION IV are the reasons why my cards die. Yes, that game. Yes, that's such a stupid reason to kill the cards, I am completely aware of that, but every time my cards die, its always when I'm in the middle of playing Civ 4.
EVERY.
GODDAMN.
TIME.

LUCKILY- That POS computer is no more, replaced it w/ a new rig back in Feb/March. Different case, different fans, different everything, hopefully won't give me as much trouble.

 

[Kagari]

At this point I don't blame people for jumping ship, or at least refusing to use PSN services going forward. Clearly the network still isn't secure.

Sounds like you did. You've had the same negative tone in every single thread on the subject, and are lucky you weren't banned in the mass cull that happened previously.

 

[Proposed Law]

This is why I warned people to changed their email addresses too and not just password alone.

Are we starting another contest guessing when it will back up again?

May 30 for me

 

[Combichristoffersen]

Yeah, people should jump ship... over a weird password reset feature that has been there since the beginning of PSN?

I noticed it roughly about a year or two ago when I had to reset a password.
Edit: I just checked, I noticed this about 1/20/2010 when I had an incident on my account. I guess I should have mentioned it to people, cause apparently no one else did.

If it's been a vulnerability since PSN first opened, without Sony doing anything to fix it even though it's been known to people, I'm completely lost for words.

 

[Loudninja]

At this point I don't blame people for jumping ship, or at least refusing to use PSN services going forward. Clearly the network still isn't secure.

What does this have to do with the network?

 

[larvi]

And if you're actually wondering why I replace my cards every six months, it's because I'm lazy to use the warranty, and usually by that time, I can usually buy a better card anyway, so I do that.

Well, you shouldn't be using that as a criticism of PC hardware then since it's your choice. That's where PCs have the advantage is in upgrade options, rather than spending $150 to replace/refurbish several year old technology you have the option of spending $150 and get a shiny new card with improved performance if you so desire.

 

[AcceptableGhost]

Yeah honestly I don't think I have ever seen a password reset that doesn't require email verification other then Sony's. Was probably a bad idea from the get go.

 

[test_account]

If it's been a vulnerability since PSN first opened, without Sony doing anything to fix it even though it's been known to people, I'm completely lost for words.

I dont think that it can been a wide known issue at least, otherwise i'm sure Sony would have picked up this problem earlier.


By the way, does Sony (and Microsoft and Nintendo as well for that matter) have a dedicated email adress where you can report exploits etc.? I assume that contacting the general customer support over things like this isnt the fastest way to get the word through at least.

 

[Kagari]

If it's been a vulnerability since PSN first opened, without Sony doing anything to fix it even though it's been known to people, I'm completely lost for words.

Haha yeah. Wonder why no one said anything to them until now...

 

[Zoe]

Yeah honestly I don't think I have ever seen a password reset that doesn't require email verification other then Sony's. Was probably a bad idea from the get go.

It does require email verification if the account's not activated on the PS3.

The issue is that there's a web server exploit. I wouldn't be surprised if there are exploits for other companies out there that use similar recovery methods.

 

[Massa]

Yeah honestly I don't think I have ever seen a password reset that doesn't require email verification other then Sony's. Was probably a bad idea from the get go.

No, the new system (post PSN hack) requires e-mail verificaiton. The problem is that the verification code that is supposed to be sent to the e-mail account is somehow visible to the person that made the request as well.

 

[test_account]

Yeah honestly I don't think I have ever seen a password reset that doesn't require email verification other then Sony's. Was probably a bad idea from the get go.

Original it does require email verification, but there was a way around this somehow.

 

[scoobs]

Funny that all these outside security companies didn't notice this. Really wild situation

 

[Zoe]

Funny that all these outside security companies didn't notice this. Really wild situation

They probably didn't touch the web services at all.

 

[AcceptableGhost]

It does require email verification if the account's not activated on the PS3.

The issue is that there's a web server exploit. I wouldn't be surprised if there are exploits for other companies out there that use similar recovery methods.

It's not an "exploit". It's a very loose password recovery system that has been there forever. I repeat, the online website has NEVER REQUIRED EMAIL VERIFICATION to password reset.

 

[Utako]

Ancient history. Let's leave it there.

Nope, it's still this generation.

 

[Mithos]

Only if Sony doesn't have this fixed when the restore page comes back up.
You would still receive the notification emails, however, and they instruct you to contact support if your password was changed on you.

Yeah, but its mind boggling that they somehow missed this when spending almost 4 weeks fixing PSN. Gonna follow Wario64's tip and create new email addresses to use with my PSN-accounts.

 

[HaRyu]

Well, you shouldn't be using that as a criticism of PC hardware then since it's your choice. That's where PCs have the advantage is in upgrade options, rather than spending $150 to replace/refurbish several year old technology you have the option of spending $150 and get a shiny new card with improved performance if you so desire.

That's deviating from the point I was trying to make... and it figures that it would look like I'm trying to say PS3 is better than PC... awkward...

Anyway, the point I was trying to make that paying $150 to fix out of warranty PS3 is no different than spending that much money fixing/replacing out of warranty PC parts.

 

[MalboroRed]

This is a continuation on this story:
http://www.neogaf.com/forum/showthread.php?t=430519

First, to avoid unnecessary panic, let me just say that Sony already took the page down, and are most likely fixing it, and if you were a victim of this, you would get an email warning someone had changed your password, so if you didn't, you're safe.


Now to the whole story:
This guy on twitter ( http://twitter.com/#!/Nyleveia ) was claiming there was an exploit on the password recovery page that allowed anyone with a matching PSN login address and Date of Birth could change your password without you confirming it. Personally I didn't believe him so I gave him my login and dob. He didn't reply for a long time so I went to sleep. This morning however I got these 2 emails.
The first one is saying that someone had requested to change my password, and that I needed to click the confirmation link to continue. All normal for now, supposedly only people with access to the login address can change it then. HOWEVER the second email is a confirmation that the password was changed and I never clicked the confirmation link... So yeah... my password was successfully changed by someone else.


And where the story gets even more interesting is that Sony are just lying about it. This is their latest tweets.


Improve email process my ass. They took the password recovery page down because of this problem. Nyleveia warned about it, as confirmed by the latest tweet:

(the tweets warning about the exploit were removed, most likely cause Sony asked him to)

And now they're fixing the problem.

Honestly, I was never bothered by the original hack, no network is secure and I think Sony wasn't to blame and that they handled the entire thing by the book and quite well. This however... this is 100% on them, and what bothers me the most is that they're lying about it.

You gave a stranger your login and DOB? So do you know your password after it has been changed by that stranger?

 

[Luckyman]

At this point I don't blame people for jumping ship, or at least refusing to use PSN services going forward. Clearly the network still isn't secure.

Just put fake info and use PSN cards

 

[Zoe]

It's not an "exploit". It's a very loose password recovery system that has been there forever. I repeat, the online website has NEVER REQUIRED EMAIL VERIFICATION to password reset.

exploit definition
security
A security hole or an instance of taking advantage of a security hole.

You are expected to use the recovery link that is emailed to you. Circumventing that is not a feature, it is an exploit. It is using the recovery system in a way that was not intended.

 

[test_account]

It's not an "exploit". It's a very loose password recovery system that has been there forever. I repeat, the online website has NEVER REQUIRED EMAIL VERIFICATION to password reset.

Out of curiousity, how did that work? Lets say i forgot my PSN password, went to Sony's site, wrote in my PSN email address and chose "forgot password". What would happened next if there was no email verification?

 

[Patrick Bateman]

What do you mean?

Well, I changed my pw right after PSN went back online.
But now with this exploit that they only need your nickname an email, would it even make sense to change the pw again or do I need to set up a new email, too?

 

[Combichristoffersen]

I dont think that it can been a wide known issue at least, otherwise i'm sure Sony would have picked up this problem earlier.

Doesn't really matter if it wasn't a widely known security hole, if people knew about it, Sony must've known about it themselves, considering they're the ones who set up and run the PSN service. And if Sony knew about this security hole without doing anything about it.. smh. What a bumblefuck.

 

[HaRyu]

Out of curiousity, how did that work? Lets say i forgot my PSN password, went to Sony's site, wrote in my PSN email address and chose "forgot password". What would happened next if there was no email verification?

If you hit the "Forgot Password" link, the next page you see is the recovery page, asking for the email address to the account, and your DOB.

After you enter that information, the next page will ask how do you want to reset your password.

When I tried it yesterday, it only gave me one choice "change via email". I'm assuming there might be more than one choice, and I assume that's the exploit people are using, getting that other choice to appear in the menu.

 

[Massa]

Well, I changed my pw right after PSN went back online.
But now with this exploit that they only need your nickname an email, would it even make sense to change the pw again or do I need to set up a new email, too?

You don't need to do anything, Sony took the affected site offline. On the slim chance someone hacked your account you should have received an e-mail about it and be unable to use your account from your PS3 or PSP, as it would have a different password.

 

[AcceptableGhost]

Out of curiousity, how did that work? Lets say i forgot my PSN password, went to Sony's site, wrote in my PSN email address and chose "forgot password". What would happened next if there was no email verification?

When the website was up and running there was two options if I remember correctly when you click "forgot password". There was
1. Send reset password email.
2. Change via website.

Clicking 1 would send the password reset email the OP got.
Clicking 2 would ask for email and dob, and entering those would let you change the password ON THE SITE. Its explicit.

It's not an exploit. It has always been this way on purpose. Or atleast that page used to be there. The only reason this is an issue now is because the hackers most likely have DOB, so now they HAVE to change it.

 

[Loudninja]

You don't need to do anything, Sony took the site offline.

Its been offline for awhile now.

 

[HaRyu]

When the website was up and running there was two options if I remember correctly. There was
1. Send reset password email.
2. Change via website.

Clicking 1 would send the password reset email the OP got.
Clicking 2 would ask for email and dob, and entering those would let you change the password ON THE SITE.

It's not an exploit. It has always been this way on purpose. Or atleast that page used to be there.

I never got the 2nd choice when I tried messing around w/ it yesterday.

 

[AcceptableGhost]

I never got the 2nd choice when I tried messing around w/ it yesterday.

I assume the page probably still exists in some form perhaps and these people still had a link to it maybe.

 

[Metalmurphy]

You gave a stranger your login and DOB? So do you know your password after it has been changed by that stranger?

It was a secondary account, not much loss. But, the guy did email me the new password so I can retrieve the account once the website is back online.

 

[FirstInHell]

Guys it's a security flaw, but it's been there since the beginning so it's ok.

 

[HaRyu]

I assume the page probably still exists in some form perhaps and these people still had a link to it maybe.

I mentioned that a few posts up, I assume the exploit somehow involves getting that 2nd choice to pop up.

 

[Evlar]

When the website was up and running there was two options if I remember correctly. There was
1. Send reset password email.
2. Change via website.

Clicking 1 would send the password reset email the OP got.
Clicking 2 would ask for email and dob, and entering those would let you change the password ON THE SITE. Its explicit.

It's not an exploit. It has always been this way on purpose. Or atleast that page used to be there. The only reason this is an issue now is because the hackers most likely have DOB, so now they HAVE to change it.

Huh. Interesting.

 

[Persona7]

Guys it's a security flaw, but it's been there since the beginning so it's ok.

how is a security flaw ok?


Also when is sony going to allow the change of secret questions for PSN?

 

[webrunner]

When the website was up and running there was two options if I remember correctly. There was
1. Send reset password email.
2. Change via website.

Clicking 1 would send the password reset email the OP got.
Clicking 2 would ask for email and dob, and entering those would let you change the password ON THE SITE. Its explicit.

It's not an exploit. It has always been this way on purpose. Or atleast that page used to be there. The only reason this is an issue now is because the hackers most likely have DOB, so now they HAVE to change it.

That is.. ridiculously insecure. I mean.. negligently so. If having such a ridiculous page anywhere near your system isn't illegal then I wonder what the hell security laws are for.

 

[Knux-Future]

meh....Sony incompetance is just not surprising anymore.


We need to them admit to hacking it themsleves now.

Step your fail game up, Sony.


but seriously the store needs to get fixed soonish....my 360 was a piece of shit so I back to one ( technically 2 with the wii...which Nintendo has left to die) console man. I need my moe fighter, Sony.

 

[Deadly Joker]

how is a security flaw ok?

I'm pretty sure he was being sarcastic.

 

[Giriath_89]

Well this is all lovely. I guess I'm lucky someone didn't steal my account, since I only just saw all this.