Web-based PSN Login / Password Recovery Exploited


Submitted by greg; May 18, 2011
You'll notice trying to login to PSN via playstation.com that again the service is down for maintenance. Don't get it twisted though; on your PS3 console itself you can login just fine. PSN remains up. The problem lies in the web-based password recovery function where all that's needed is your email address and date of birth. Yup -- that's right... A database of 77 million user email addresses and birth dates was stolen. Put two and two together and you can figure it out. Your shit ain't necessarily safe, regardless of the forced password change in firmware 3.61. Originally reported by Nyleveia, the specifics remain under wraps:
While we will not reveal specific details regarding how the exploit is performed for obvious reasons, we can say that the exploit involves a vulnerability in the password reset form currently implemented, not properly verifying tokens.
What Nyleveia suggests: Creating a new email address somewhere, keeping it secret, and associating your PSN account with said new address; and never use that address anywhere else. Brutal... I guess the hired "recognised technology security firm" missed this one. - source: sony.nyleveia.com


Tags: exploits, PS3 Hacks, PSN



Related Stories:




Become a Member of Dashhacks!

If you want your comments to go live without waiting for moderation, you need to be logged in. Being logged in has its benefits:
  • Logged in members do not wait for their comments to be approved.
  • Logged in members can sign up for nightly updates.
  • Logged in members can create Profiles to be seen by other users.
So why wait? Create an account or login now! It's easy, quick, and free.

To get started, use the LOGIN boxes, or the REGISTER link at the top right!

Comments 


 
# Mads Teland 2011-05-18 13:21
Its good for me because i did only change password on PS3 after PSN return ;)

Reply
 

 
# jcastro4 2011-05-18 13:21
u serious??

Reply
 

 
# June Hong 2011-05-18 13:35
this is why the combination of information stolen was important and should have been protected better. individually the information isnt really that dangerous but together ppl are screwed.

Reply
 

 
# Alan Stokes 2011-05-18 14:24
Brutal... I guess the hired "recognized technology security firm" missed this one.
lmfao

Reply
 

 
# yodak27 2011-05-18 14:44
all hail the death of cfw trust me

Reply
 

 
# Mark Mac Lennan 2011-05-18 14:49
Really does not surprise me, sony obviously don't care atall about keeping there customers details safe.

Reply
 

 
# Mark Mac Lennan 2011-05-18 14:51
"all hail the death of cfw trust me"

Care to explain?

Reply
 

 
# Bruno Vasconcelos 2011-05-18 15:13
the only thing i need to say is:
http://www.youtube.com/watch?v...

xD

Reply
 

 
# kev5189 2011-05-18 15:14
not sure if this is an old problem or not but l was on black ops zombies about 2 hours when playstation network signed out cos someone else signed in with the same name

Reply
 

 
# Mietek Zul 2011-05-18 15:30
sony got ownt once more

Reply
 

 
# Mark 2011-05-18 16:02
HAHAHAHAHA Sony you basically put the cherry on top of the cake.

Reply
 

 
# khfan129 2011-05-18 16:21
Hey nyleveia.com says it was an "exploit" but the Sony blog says "it was not hack" so who's right?

Reply
 

 
# James Soileau 2011-05-18 16:28
Told you so......

Reply
 

 
# James Soileau 2011-05-18 16:30
Blackhole + obtained ip + proxy = Fun

Reply
 

 
# khfan129 2011-05-18 16:30
Nyleveia.com says it was an "exploit" butthe Sony blog said "don't worry, it wasn't a hack. So who's right?

Reply
 

 
# James Soileau 2011-05-18 16:32
yoda....go fly an xwing or tinker with your force.

Reply
 

 
# Garean Smith 2011-05-18 16:57
In other words; "Change your whole fucking life so you can play games through our shitty service"

Reply
 

 
# Yes Yep 2011-05-18 17:15
"A database of 22 million user email addresses and birth dates was stolen."

Which database is this?

Reply
 

 
# yodak27 2011-05-18 17:18
its never going to happen i wish it would, i have the 3.60 keys but aint got a clue how to use them, devs are working on things for cfw only ie linux

Reply
 

 
# yodak27 2011-05-18 17:22
just saying it as it is, i want it to but?

Reply
 

 
# -hacks 2011-05-18 17:32
the PSN one

Reply
 

 
# big_russ 2011-05-18 18:11
i got that one to.

Reply
 

 
# Yes Yep 2011-05-18 18:19
I thought that was 77 million accounts?

Reply
 

 
# -hacks 2011-05-18 18:23
oh yeah, my bad...

Reply
 

 
# Yes Yep 2011-05-18 18:29
No worries :) I was just wondering if there was another database that was hacked that i hadnt heard about, so i just had to ask.

Reply
 

 
# Yes Yep 2011-05-18 18:34
The firms that Sony hired were Data Forte, Guidance Software and Protiviti. I know very little about security firms in general, so i have no idea how recognized these firms are though.

http://www.informationweek.com...

Reply
 

 
# Ciaran Hallissey 2011-05-18 18:40
duz it ever end?

Reply
 

 
# Guest 2011-05-18 18:56
I will give you a hint, Don't trust a fucking thing Sony says.

Reply
 

 
# jtc242 2011-05-18 19:44
It surprises me. They may not care about the consumer, but this is hurting their wallet big time. I heard estimates of over 1 billion when this is all said and done.

Reply
 

 
# jtc242 2011-05-18 19:52
It really isn't a hack. It was just a dumb mistake. They forgot about the password reset tool on their website. You only need your birthday and email address to change your PSN password... The thieves have that information as part of the data they stole. They have since fixed it.

Reply
 

 
# James Soileau 2011-05-18 20:40
cfw will never die, it would be like saying all hackers just up and said "You know what...knowledge is just boring now." NOT going to happen.

Reply
 

 
# James Soileau 2011-05-18 20:43
Come on Duke.... You know their "Compensation" was the best thing around since sliced bread. Now simplistic phishing attempts even fool their crack team of security experts... *Sigh*

Reply
 

 
# isotrex 2011-05-18 20:58
Sony sucks!

Reply
 

 
# Christopher Tyronius Neal 2011-05-18 21:17
make a new account, use a email address ONLY for PSN, pre paid cards.... Good, moving on.

Reply
 

 
# Mike p 2011-05-18 21:45
It wasn't even a phishing attack.  They already had all the data, they could have just entered correct data into that form 77 million times and changed everyones password to whatever they damn well pleased!  (I hope that form atleast used a good captcha so they couldn't use a macro.)  Thats like stealing a car after you mugged the owner for the key.

If they didn't have credit cards yet, they probably could have logged in as you and gotten that data now...

Reply
 

 
# Guest 2011-05-18 22:08
Sony just made the sequel to Titanic. They cant even breathe with their heads so far up their own ass. Maybe they should hire some hackers a fire some suits.

Reply
 

 
# Guest 2011-05-18 22:11
Is Sony still using the password 1234 on all their servers, Cause they need to change that shit C'mon!

Reply
 

 
# Isaac Paul 2011-05-18 23:04
Who is in charge of their security? seriously first place people go to steal accounts is with password recovery pages. Maybe they should start hiring highschool nerds cuz they'll probably do a better job

Reply
 

 
# James Soileau 2011-05-18 23:21
Seems like some of the people they hired were also owners of ps3 systems and rightfully said in lame terms "Fuck your security Sony..."

Reply
 

 
# James Soileau 2011-05-18 23:34
Depends on your thoughts of what phishing are...

Phishing is an example of social engineering techniques used to deceive users and exploits the poor usability of current web security technologies.

So its using your "bait" to find further information.

*wiki shrug*

So yes they used information obtained to phish information whatever that may of been.... what part of that did you not understand?


OH WAIT your ideal of phishing is only emails and someone replying or maybe molesting cookies from browsers.....oh ok the simple minded view.

"If they didn't have credit cards yet, they probably could have logged in as you and gotten that data now..."

.....awesome contradiction of point.

Reply
 

 
# Curan Altea 2011-05-19 02:26
Maybe not cfw exactly, but modded os', flashcarts, modchips, etc. Hackers allways find a way.

Reply
 

 
# Yes Yep 2011-05-19 04:49
Why would they do that just because they own a PS3? Personally i dont think that these people would jeopardize their job and reputation over something like this :) I think that it is more likely that these firms only focused/worked on the PSN servers themself and not the websites. But i cant say for sure though, it is just a guess.

Reply
 

 
# James Soileau 2011-05-19 17:25
<sarcasm>
Come on really? I swear they own ps3's and its the whole point! REALLY!

</sarcasm>

Easier to identify?

Reply
 

 
# Yes Yep 2011-05-19 19:18
Are you being sarcastic now? Hehe :P

Seriously though, i know that what you wrote earlier was more ment as a joke, so i didnt mean to take it 100% serious as my reply maybe looked like, sorry about that. But i have read different comments online from other people who seems to really hate Sony, so it would not surprise me that much if someone actually thinks that one of these security companies might do this to Sony on purpose.

I dont read much of the comments on this site, so this is not aimed towards what you have said earlier just to underline that. I am only generally speaking when it comes to the comments i have read online from people who seems to really hate Sony.

:)

Reply
 

 
# James Soileau 2011-05-19 21:01
Well I may think they hold the dollar closer to big CEO's rather than security, make bad decisions in cutting intended features from items, try to label people who have a keen sense of knowledge as leaders in piracy and compensate in odd and remorseless fashion. There is one thing I do know, I do not hate the company as a whole. I believe there  are misguided and perhaps uneducated "leaders" who make bad choices on top of bad choices.

You cannot intend to have success if your choices are to piss away your most abundant resource, Users.

Now take those users no matter what happens no one will forget the atrocities Sony has caused and continue to do so. I only hope one day they wise up and remember the fundamentals.

All too serious note....


Reply
 

 
# Yes Yep 2011-05-20 11:22
I dont think that anyone tried to label Geohot or graf_chokolo (which i assume you're reffering to?) as leaders in piracy, but that what they did (especially Geohot when he released the PS3 decryption keys) could easily lead to piracy, which is true. Some people have different opinions about this, if it was right or wrong.

Which compenstaion in odd and remorseless fashion do you mean by the way?

Personally, i also dont think that any company tries to make their consumers angry, but unfortunately sometimes though decitions have to be made, and these decitions can't always make everyone happy.

I think that people who "forget" these things either don't care much about it or they have understanding for it. But again, people have different opinions about these things =)

Reply
 

 
# jamar623 2011-05-20 12:24
nkb.kkjjb/lb

Reply
 

 
# sxyleexx 2011-05-20 15:47
heres a good one if anyone's up for it a video stream recorder i.e lovefilm or bittorent

Reply
 

 
# Ralkage 2011-05-21 00:28
Even a Zombie could hack Sony's servers and exploit them at the same time.

Tsk tsk.

Reply
 

 
# Guest 2011-10-13 01:08



Dubai SEO 





Is Sony still using the password 1234 on all their servers, Cause they need to change that shit C'mon!

Reply
 

Add comment

Security code
Refresh




 
CREATE ACCOUNT NOW TO POST COMMENTS!

Why create an account on the Dashhacks network? Because being logged in has its privileges!

• COMMENTS! Only logged in users comments go live without waiting for moderator approval!
• No video! The video ad in the upper right doesn't interrupt you on all pages!
• Customize your profile! Flaunt your xBox Live & PSN gamertags!
• It's FREE and it's EASY! And one login works for all of the Dashhacks review sites!

So what are you waiting for?

Go to the TOP RIGHT of the page and LOGIN or click REGISTER!