• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Sony had an exploit on their PSN password recovery page and is now fixed

Status
Not open for further replies.
Zoe

Zoe

Member
webrunner said:
That is.. ridiculously insecure. I mean.. negligently so. If having such a ridiculous page anywhere near your system isn't illegal then I wonder what the hell security laws are for.
Click to expand...

What are these security laws you speak of?
 
A

AcceptableGhost

Member
webrunner said:
That is.. ridiculously insecure. I mean.. negligently so. If having such a ridiculous page anywhere near your system isn't illegal then I wonder what the hell security laws are for.
Click to expand...
I think I have seen other sites with lax/weird password recovery, just not on a service in which you could possibly put money on it.

Also I mean the chances of your account being stolen in this time are no different from any other time in history (unless the hackers with the data dump specifically targeted your account).
 
M

Metalmurphy

Member
MTMBStudios said:
When the website was up and running there was two options if I remember correctly when you click "forgot password". There was
1. Send reset password email.
2. Change via website.

Clicking 1 would send the password reset email the OP got.
Clicking 2 would ask for email and dob, and entering those would let you change the password ON THE SITE. Its explicit.

It's not an exploit. It has always been this way on purpose. Or atleast that page used to be there. The only reason this is an issue now is because the hackers most likely have DOB, so now they HAVE to change it.
Click to expand...


This is incorrect!!!

When you choose to reset the password it asks you for your the login address and your date of birth. Then it sends you an email with an verification link, only AFTER you press that verification link the password is changed. So supposedly only people with access to the email would be able to change it.

The problem is that this exploit allowed them to bypass or access the verification link and change the password even without access to the email.
 
L

Luckyman

Banned
I want to see custom firmware pushed through PSN. It would then use millions on PS3s ddos random Sony services for lulz
 
W

webrunner

Member
Zoe said:
What are these security laws you speak of?
Click to expand...

I'm pretty sure there are laws regarding security on sites such as Playstation Network (such as protecting credit card information, etc). But I guess I'm not sure.
 
Z

Zombie James

Banned
It was easy enough changing the email address associated with my account to one of my other other ones, so I'm not sweating this. At least they were quick(er) to respond.
 
A

AcceptableGhost

Member
Metalmurphy said:
This is incorrect!!!

When you choose to reset the password it asks you for your the login address and your date of birth. Then it sends you an email with an verification link, only AFTER you press that verification link the password is changed. So supposedly only people with access to the email would be able to change it.

The problem is that this exploit allowed them to bypass or access the verification link and change the password even without access to the email.
Click to expand...
Nah, I am 100% certain at some point I was able to change the password on site, and DOB wasnt required for email veri.
 
M

Metalmurphy

Member
MTMBStudios said:
Nah, I am 100% certain at some point I was able to change the password on site, and DOB wasnt required for email veri.
Click to expand...

Check the OP. It's right there.
First email contains the confirmation link.
Second email is the confirmation the password was changed.
 
A

AcceptableGhost

Member
The person clicked the first to send it by accident. Then he clicked the second option and just changed it on site. How long ago did you check the site?
 
M

Metalmurphy

Member
MTMBStudios said:
The person clicked the first to send it by accident. Then he clicked the second option and just changed it on site. How long ago did you check the site?
Click to expand...

Please don't just throw wild guesses as facts...
 
Zoe

Zoe

Member
It looks like this may have been what happened:

- There were previously two ways to reset your password via web, one did not require a verification email
- These were consolidated into one option that does require a verification email
- The previous option was not properly removed from the web server allowing people to circumvent the verification email

This is all speculation.
 
Z

Zzoram

Member
FirstInHell said:
Guys it's a security flaw, but it's been there since the beginning so it's ok.
Click to expand...

Pathetic. Sony took down PSN for almost a month to fix security problems, and the launch is immediately hampered by a security problem?
 
Malio

Malio

Member
What the hell happened to Sony?

PS2 was great and all, but christ guys. Use some of that cash to hire network people with a clue or something, hunh?
 
H

HaRyu

Unconfirmed Member
Mmm... how hard would it be to fake being a "trusted PC" for Windows Live? You can change reset your password through the web on their site.
 
T

test_account

XP-39C²
Combichristoffersen said:
Doesn't really matter if it wasn't a widely known security hole, if people knew about it, Sony must've known about it themselves, considering they're the ones who set up and run the PSN service. And if Sony knew about this security hole without doing anything about it.. smh. What a bumblefuck.
Click to expand...
It matters since if it is a widely known security hole, then it is much easier to know about it, not only among hackers, but also among the companies. If there is an exploit that maybe only a handfull of people know about in secrecy, then it is a bigger chance that the exploit will be available for a longer period of time.

But what i ment is that if it was a widely known problem, then i'm sure that Sony would have fixed it a long time ago. And if it was this easy to hijack someone's PSN account for years, then i think that PSN account hijacking would have been a much bigger problem than what it has been.


HaRyu said:
If you hit the "Forgot Password" link, the next page you see is the recovery page, asking for the email address to the account, and your DOB.

After you enter that information, the next page will ask how do you want to reset your password.

When I tried it yesterday, it only gave me one choice "change via email". I'm assuming there might be more than one choice, and I assume that's the exploit people are using, getting that other choice to appear in the menu.
Click to expand...
Ok, i see. I think that it is very wierd if e-mail and DOB is all that was needed though, since these things are not concidered as sensitive information in my opinion, especially not in these "Facebook days".


MTMBStudios said:
When the website was up and running there was two options if I remember correctly when you click "forgot password". There was
1. Send reset password email.
2. Change via website.

Clicking 1 would send the password reset email the OP got.
Clicking 2 would ask for email and dob, and entering those would let you change the password ON THE SITE. Its explicit.

It's not an exploit. It has always been this way on purpose. Or atleast that page used to be there. The only reason this is an issue now is because the hackers most likely have DOB, so now they HAVE to change it.
Click to expand...
Are you absolutely sure about this? I don't mean any offence at all, but i just find it hard to belive that all you needed was the email adress and date of birth to be able to change the password. As i mentioned above here, i dont concider email and DOB as really sensitive information, so i find it hard to belive this was all that it took to change someone's PSN password and that this was possible for years. But i never checked it out myself and i'm not saying that you're lying just to underline that, i just find it hard to belive.

EDIT: Nevermind what i wrote in my edit, it was wrong :)
 
dsp

dsp

Member
I didn't have to confirm anything through e-mail when I changed my password. I thought that was really strange. Then I thought about how easy it would be to steal anyone's account. By the end of the night I just assumed I was losing my mind, convincing myself that at some point I did confirm the password change because no one could let such a noticeable exploit pass under the radar. Now I see this thread... I feel a lot better about myself.
 
L

larvi

Member
test_account said:
EDIT: Come to think of it, if this method was used and if you knew an email adress that was used for a PSN account, you could get the password in maximum 365 guesses. That is really insecure.
Click to expand...

The DoB doesn't require a year, only month/day?
 
K

Konosuke

Member
This is getting embarrassing now for Sony. I just got home and saw this. To clarify, you are compromised if you receive two e-mails right? One with a link and another without, correct?

I'm asking this since I checked the e-mail I used for my secondary US account and I received this e-mail yesterday:

DoNotReply@ac.playstation.net [DoNotReply@ac.playstation.net said:
This e-mail confirms that the password for your PlayStation(R)Network Account has been changed.

If you did not intend to change your password, contact Consumer Services for further assistance.

http://www.us.playstation.com/corporate/contactus/


Thank you.

The PlayStation(R)Network Team


--------------------------------------------------------------------------
For answers to frequently asked questions and information about PlayStation(R)Network terms and policies, please visit the links below.

Terms of Service / User Agreement and Privacy Policy:
http://www.us.playstation.com/TermsOfUse

This e-mail message has been delivered from a send-only address. Please do not reply to this message. If you have any questions, contact Consumer Services using the link below.
http://www.us.playstation.com/corporate/contactus/
Click to expand...

The thing is, I don't have the e-mail with a link in it, just this one. I'm not sure if I changed the password yesterday or Monday. Am I safe GAF?
 
Zoe

Zoe

Member
You guys can still change it via the PS3 as long as it's activated on there and no one has hijacked your account.


Konosuke said:
This is getting embarrassing now for Sony. I just got home and saw this. To clarify, you are compromised if you receive two e-mails right? One with a link and another without, correct?
Click to expand...

You get two emails if you reset your password via the website. If you do it on the PS3, you only get the final confirmation.

Emails were slow to go out because there are so many password change requests.
 
H

HaRyu

Unconfirmed Member
Konosuke said:
This is getting embarrassing now for Sony. I just got home and saw this. To clarify, you are compromised if you receive two e-mails right? One with a link and another without, correct?

I'm asking this since I checked the e-mail I used for my secondary US account and I received this e-mail yesterday:



The thing is, I don't have the e-mail with a link in it, just this one. I'm not sure if I changed the password yesterday or Monday. Am I safe GAF?
Click to expand...


If your password was changed, you shouldn't even be able to login to PSN. Did you check?
 
M

Metalmurphy

Member
MTMBStudios said:
I think it may have required secret password to change on-site, maybe? Uhhh, anyway I found this:

http://www.mombu.com/games/playstation/t-playstation-network-accounts-are-not-safe-1463930-last.html

I'm still pretty sure at some point I was able to change the password on-site with just the dob and email and thinking that was weird.
Click to expand...

I think you're mixing stuff up.

Changing password != Password recovery

If you have access to your account then ofcourse you can change it on the site. It just asks you to type your password 2 times. You still get an email warning it was changed but no confirmation link.

But using the Password recovery site it asks for date of birth and then sends an email with the confirmation link before allowing you to change it.


These people DID NOT have access to my account. Only the email address and the DOB.
 
A

AcceptableGhost

Member
No I am explicitly talking about password recovery via "forgot password" link. I assume they may have changed it after the attack, but before the attack there was a "change on site" option with no email veri required. What that actually required I am not sure.
 
A

AbsoluteZero

Banned
Konosuke said:
This is getting embarrassing now for Sony. I just got home and saw this. To clarify, you are compromised if you receive two e-mails right? One with a link and another without, correct?

I'm asking this since I checked the e-mail I used for my secondary US account and I received this e-mail yesterday:



The thing is, I don't have the e-mail with a link in it, just this one. I'm not sure if I changed the password yesterday or Monday. Am I safe GAF?
Click to expand...

I submitted a change password request via the account management website but I was slow to get the confirmation e-mail. By the time I noticed it the link had died (I think it deactivates itself after 24 hours or something)

Here's hoping I'm not too much more fucked than usual. I forsee some guy buying a bunch of stuff on my account.
 
M

Metalmurphy

Member
Konosuke said:
This is getting embarrassing now for Sony. I just got home and saw this. To clarify, you are compromised if you receive two e-mails right? One with a link and another without, correct?

I'm asking this since I checked the e-mail I used for my secondary US account and I received this e-mail yesterday:



The thing is, I don't have the e-mail with a link in it, just this one. I'm not sure if I changed the password yesterday or Monday. Am I safe GAF?
Click to expand...

Did you change it on the PS3? If so then you obviously won't have a confirmation link.
 
T

test_account

XP-39C²
MTMBStudios said:
I think it may have required secret password to change on-site, maybe? Uhhh, anyway I found this:

http://www.mombu.com/games/playstation/t-playstation-network-accounts-are-not-safe-1463930-last.html

I'm still pretty sure at some point I was able to change the password on-site with just the dob and email and thinking that was weird.
Click to expand...
Thanks for the link :) From what i understand in that link, you also need to know the secret-question answer as well. That is more secure at least. But even so, i think that any password recovery should only be done through email verification regardless.


larvi said:
The DoB doesn't require a year, only month/day?
Click to expand...
Doh, my mistake, sorry :) Not sure how i forgot that year was also required. I will edit my previous post now, thanks for pointing that out =)
 
M

Massa

Member
dsp said:
I didn't have to confirm anything through e-mail when I changed my password. I thought that was really strange. Then I thought about how easy it would be to steal anyone's account. By the end of the night I just assumed I was losing my mind, convincing myself that at some point I did confirm the password change because no one could let such a noticeable exploit pass under the radar. Now I see this thread... I feel a lot better about myself.
Click to expand...

You don't need e-mail confirmation if you do it from a PS3 that already had that account activated, in which case the PS3 itself is the verification.
 
K

Konosuke

Member
HaRyu said:
If your password was changed, you shouldn't even be able to login to PSN. Did you check?
Click to expand...
Zoe said:
You guys can still change it via the PS3 as long as it's activated on there and no one has hijacked your account.
You get two emails if you reset your password via the website. If you do it on the PS3, you only get the final confirmation.

Emails were slow to go out because there are so many password change requests.
Click to expand...
Metalmurphy said:
Did you change it on the PS3? If so then you obviously won't have a confirmation link.
Click to expand...

I did it on the PS3 and I can log in, thanks guys, I'm much more calm now.
 
L

larvi

Member
test_account said:
Doh, my mistake, sorry :) Not sure how i forgot that year was also requiered. I will edit my previous post now, thanks for pointing that out =)
Click to expand...

I was thinking along the same line originally as well. But even so, assuming 100 years of valid dates (with a high probability of them being clustered within 20 years of that) it's still easy to brute force.
 
H

HaRyu

Unconfirmed Member
test_account said:
Thanks for the link :) From what i understand in that link, you also need to know the secret-question answer as well. That is more secure at least. But even so, i think that any password recovery should only be done through email verification regardless.
Click to expand...

Well, the key thing is that at least as of last night, there was no choice to update via the web, its unknown when Sony took that 2nd option off (or if it was only missing for me when I went there), but if you were to follow those directions to do that hack, you'd stop at at the enter birthday and email part (because there wasn't even a screen to enter the answer to a security question, it goes straight to "how do you want to reset your password").
 
M

Metalmurphy

Member
MTMBStudios said:
No I am explicitly talking about password recovery via "forgot password" link. I assume they may have changed it after the attack, but before the attack there was a "change on site" option with no email veri required. What that actually required I am not sure.
Click to expand...

Don't take this the wrong way but I'm pretty sure you are mistaken. I changed my password several times and it works the way you said, BUT if I was already logged in on the account management site. Using the password recovery it would send it to the email.


I mean... if you could do it on site without the verification link then why does that second email with the verification link even exist? What other option is there.
 
T

test_account

XP-39C²
larvi said:
I was thinking along the same line originally as well. But even so, assuming 100 years of valid dates (with a high probability of them being clustered within 20 years of that) it's still easy to brute force.
Click to expand...
Yeah, then you could just make a script that automatically tries every date, unless there was a CAPTCHA check after a few failed attempts, like i.e Hotmail uses. But even with a CAPTCHA, it would still be fairly easy to brute force it manually. Could perhaps be a bit time consuming, but at least it wouldnt take years to do it.


HaRyu said:
Well, the key thing is that at least as of last night, there was no choice to update via the web, its unknown when Sony took that 2nd option off (or if it was only missing for me when I went there), but if you were to follow those directions to do that hack, you'd stop at at the enter birthday and email part (because there wasn't even a screen to enter the answer to a security question, it goes straight to "how do you want to reset your password").
Click to expand...
Yeah, i was mostly thinking about how it worked before (maybe like 2 months ago or so), when it seemed to be possible to the 2nd option :)
 
S

surly

Banned
test_account said:
Thanks for the link :) From what i understand in that link, you also need to know the secret-question answer as well. That is more secure at least.
Click to expand...
Kotaku and a few other sites have posted the exploit in full and it's different to the one mentioned above. The answer to the secret question was not needed. It was as the guy on Twitter originally claimed - you just need the email address and date of birth.
 
dorkimoe

dorkimoe

Member
Zeouterlimits said:
Surprising and annoying that this hole a) existed b) was not discovered in their post-fall security review.

Kudos to Nyleveia though, for finding it and informing Sony.
Click to expand...
Yeah it's a shame one of the companies getting paid tons to do it didn't find it.
 
Status
Not open for further replies.

Similar threads

Free $5.99 PSN Credit Thread Of Why Not?! (Official Sony Promotion/NA region only)
11 12 13 14 15
724
64K
Special J replied
  • Locked
PSN Hack Update: FAQs in OP, Read before posting
188 189 190 191 192
10K
552K
Mr_Elysia replied
Valve's fake, rigged, waste of time Progress Quest troll Portal 2 ARG
213 214 215 216 217
11K
567K
JaseC replied
Top Bottom