Feeds

New PlayStation Network hack hijacks user accounts

Sony removes sign-in pages to contain damage

Top three mobile application threats

Four days after the PlayStation Network reopened, Sony has taken down login and password recovery pages for the service following reports they contained a serious flaw that was actively exploited to hijack user accounts.

The vulnerability, which was first reported by UK-based gaming news site Nyleveia.com, required only that an attacker know the date of birth and email address associated with a targeted user's account, Daniel Pilkington, the site's founder, told The Register. He said he observed internet chat relay discussions that showed a small number of people exploiting the flaw “to take control of an unknown number of accounts.”

“It had the potential to be used maliciously, but we think Sony acted soon enough,” Pilkington said.

Once Sony disabled the login pages, the attacks were no longer possible, he explained.

After this article went live, the company published a blog post that said:

"We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed."

Pilkington said he stood by his account. Sony didn't elaborate on the URL exploit or say when the web-based pages would be restored. Password reset features that use the PlayStation console continue to work normally.

The blunder raises new doubts about Sony's ability to secure the PlayStation Network just as the company is trying to regain the confidence of dubious government officials and its 77 million account holders. Sony took down the service on April 20, following the discovery that core parts of its network had suffered a criminal intrusion that stole names, user names, passwords, birth dates, addresses, and other sensitive details of all its users. Company executives have said they can't rule out the possibility that credit card data was also taken.

Pilkington said he was initially skeptical of the vulnerability claims until one of the participants in the IRC chat demonstrated the attack on a test account Nyleveia had set up.

“The exploit was possible on any account the email and date of birth was known for, regardless of if the password was changed or not, or what region the account was tied to,” the website reported. “It was demonstrated to one of our empty accounts, then we were able to repeat the process ourselves after figuring out the method. This was additionally confirmed when a Twitter user provided us with his data and requested that we change his password as proof.”

Pilkington said he emailed the details to a Sony public relations official, and the login pages were disabled about 15 minutes after a representative sent a response.

Pilkington described the exploit process this way:

The exploit involved the bypass of a digital token system that Sony used when users reset their PSN password. Attackers could carry out the attack by visiting https://store.playstation.com/accounts/reset/resetPassword.action?token and then, in a separate browser tab, opening a different page on us.playstation.com and following Sony's reset procedure, which required only the date of birth and email address associated with the account.

The attacker would then return to the original tab and, armed with the browser cookie just issued by Sony's servers, complete an image verification on the page. The attacker would then proceed to a scree allowing him to change the victim's password.

“The page https://store.playstation.com/accounts/reset/resetPassword.action?token, acts as though you had clicked the unique link sent to you via Sony for completing the second page's password reset,” Pilkington said during a discussion over instant message. He said it's “highly unlikely” the exploit technique was discovered until Tuesday evening.

Sony has yet to issue any confirmation of the flaw, which Pilkington said has affected PSN users since Monday, when it was reopened following 24 days of continuous outage. On the company's European blog it said only that PSN sign-in services were down for PlayStation.com, PlayStation forums, the PlayStation blog, and complementary services including Qriocity.com, Music Unlimited via web browsers, and all PlayStation game title websites.

“Unfortunately this also means that those who are still trying to change their password password via Playstation.com or Qriocity.com will be unable to do so for the time being,” the Sony blog said. “This is due to essential maintenance and at present it is unclear how long this will take.”

Sony is requiring all PSN users to change their password before they can use the reopened service. The removal of the reset webpages means users for the time being can reset their pass phrases only through their PlayStation consoles, which remain unaffected by the outage.

The PSN was restored to most of the world but has remained unavailable in Japan because of doubts that country's government had about its security. ®

This article was updated to add details Sony subsequently published on its blog.

Combat fraud and increase customer satisfaction

More from The Register

next story
Feast your PUNY eyes on highest resolution phone display EVER
Too much pixel dust for your strained eyeballs to handle
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Report: Apple seeking to raise iPhone 6 price by a HUNDRED BUCKS
'Well, that 5c experiment didn't go so well – let's try the other direction'
Rounded corners? Pah! Amazon's '3D phone has eye-tracking tech'
Now THAT'S what we call a proper new feature
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Nvidia gamers hit trifecta with driver, optimizer, and mobile upgrades
Li'l Shield moves up to Android 4.4.2 KitKat, GameStream comes to notebooks
AMD unveils Godzilla's graphics card – 'the world's fastest, period'
The Radeon R9 295X2: Water-cooled, 5,632 stream processors, 11.5TFLOPS
Sony battery recall as VAIO goes out with a bang, not a whimper
The perils of having Panasonic as a partner
NORKS' own smartmobe pegged as Chinese landfill Android
Fake kit in the hermit kingdom? That's just Kim Jong-un-believable!
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.