Feeds

New PlayStation Network hack hijacks user accounts

Sony removes sign-in pages to contain damage

The Power of One Infographic

Four days after the PlayStation Network reopened, Sony has taken down login and password recovery pages for the service following reports they contained a serious flaw that was actively exploited to hijack user accounts.

The vulnerability, which was first reported by UK-based gaming news site Nyleveia.com, required only that an attacker know the date of birth and email address associated with a targeted user's account, Daniel Pilkington, the site's founder, told The Register. He said he observed internet chat relay discussions that showed a small number of people exploiting the flaw “to take control of an unknown number of accounts.”

“It had the potential to be used maliciously, but we think Sony acted soon enough,” Pilkington said.

Once Sony disabled the login pages, the attacks were no longer possible, he explained.

After this article went live, the company published a blog post that said:

"We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed."

Pilkington said he stood by his account. Sony didn't elaborate on the URL exploit or say when the web-based pages would be restored. Password reset features that use the PlayStation console continue to work normally.

The blunder raises new doubts about Sony's ability to secure the PlayStation Network just as the company is trying to regain the confidence of dubious government officials and its 77 million account holders. Sony took down the service on April 20, following the discovery that core parts of its network had suffered a criminal intrusion that stole names, user names, passwords, birth dates, addresses, and other sensitive details of all its users. Company executives have said they can't rule out the possibility that credit card data was also taken.

Pilkington said he was initially skeptical of the vulnerability claims until one of the participants in the IRC chat demonstrated the attack on a test account Nyleveia had set up.

“The exploit was possible on any account the email and date of birth was known for, regardless of if the password was changed or not, or what region the account was tied to,” the website reported. “It was demonstrated to one of our empty accounts, then we were able to repeat the process ourselves after figuring out the method. This was additionally confirmed when a Twitter user provided us with his data and requested that we change his password as proof.”

Pilkington said he emailed the details to a Sony public relations official, and the login pages were disabled about 15 minutes after a representative sent a response.

Pilkington described the exploit process this way:

The exploit involved the bypass of a digital token system that Sony used when users reset their PSN password. Attackers could carry out the attack by visiting https://store.playstation.com/accounts/reset/resetPassword.action?token and then, in a separate browser tab, opening a different page on us.playstation.com and following Sony's reset procedure, which required only the date of birth and email address associated with the account.

The attacker would then return to the original tab and, armed with the browser cookie just issued by Sony's servers, complete an image verification on the page. The attacker would then proceed to a scree allowing him to change the victim's password.

“The page https://store.playstation.com/accounts/reset/resetPassword.action?token, acts as though you had clicked the unique link sent to you via Sony for completing the second page's password reset,” Pilkington said during a discussion over instant message. He said it's “highly unlikely” the exploit technique was discovered until Tuesday evening.

Sony has yet to issue any confirmation of the flaw, which Pilkington said has affected PSN users since Monday, when it was reopened following 24 days of continuous outage. On the company's European blog it said only that PSN sign-in services were down for PlayStation.com, PlayStation forums, the PlayStation blog, and complementary services including Qriocity.com, Music Unlimited via web browsers, and all PlayStation game title websites.

“Unfortunately this also means that those who are still trying to change their password password via Playstation.com or Qriocity.com will be unable to do so for the time being,” the Sony blog said. “This is due to essential maintenance and at present it is unclear how long this will take.”

Sony is requiring all PSN users to change their password before they can use the reopened service. The removal of the reset webpages means users for the time being can reset their pass phrases only through their PlayStation consoles, which remain unaffected by the outage.

The PSN was restored to most of the world but has remained unavailable in Japan because of doubts that country's government had about its security. ®

This article was updated to add details Sony subsequently published on its blog.

Top three mobile application threats

More from The Register

next story
NEW Raspberry Pi B+, NOW with - count them - FOUR USB ports
Composite vid socket binned as GPIO sprouts new pins
Child diagnosed as allergic to iPad
Apple's fondleslab is the tablet dermatitis sufferers won't want to take
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
For Lenovo US, 8-inch Windows tablets are DEAD – long live 8-inch Windows tablets
Reports it's killing off smaller slabs are greatly exaggerated
Seventh-gen SPARC silicon will accelerate Oracle databases
Uncle Larry's mutually-optimised stack to become clearer in August
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.