Eurogamer has seen video evidence that verifies reports that Sony's PlayStation Network password reset system suffers from an exploit that allows attackers to change your password using only your PSN account email and your date of birth – information compromised in the PSN hack of 20th April.
Sony today made PSN sign-in unavailable for a number of its websites, including PlayStation.com and the PlayStation forums. All PlayStation game titles are also unavailable.
Crucially, the website users are directed to by password reset emails is now down.
"Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being," Sony said. "This is due to essential maintenance and at present it is unclear how long this will take.
"In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information."
Sony later tweeted: "Clarification: this maintenance doesn't affect PSN on consoles, only the website you click through to from the password change email."
The exploit was first revealed on Nyleveia.com.
"I would suggest that you secure your accounts now by creating a completely new email that you will not use ANYWHERE ELSE, and switching your PSN account to use this new email," recommends the site.
"You risk having your account stolen, when this hack becomes more public, if you do not make sure that your PSN account's email is one that cannot be affiliated with or otherwise traced to you."
NeoGAF users have also corroborated the claim.
Nyleveia claims to have contacted Sony about the exploit. "The system went down approximately 15 minutes after I received a response from SCEE on the matter."
Sony has taken the page in question down, and with any luck is fixing the exploit.
Eurogamer has contacted Sony for comment.
Sony today made PSN sign-in unavailable for a number of its websites, including PlayStation.com and the PlayStation forums. All PlayStation game titles are also unavailable.
Crucially, the website users are directed to by password reset emails is now down.
"Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being," Sony said. "This is due to essential maintenance and at present it is unclear how long this will take.
"In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information."
Sony later tweeted: "Clarification: this maintenance doesn't affect PSN on consoles, only the website you click through to from the password change email."
The exploit was first revealed on Nyleveia.com.
"I would suggest that you secure your accounts now by creating a completely new email that you will not use ANYWHERE ELSE, and switching your PSN account to use this new email," recommends the site.
"You risk having your account stolen, when this hack becomes more public, if you do not make sure that your PSN account's email is one that cannot be affiliated with or otherwise traced to you."
NeoGAF users have also corroborated the claim.
Nyleveia claims to have contacted Sony about the exploit. "The system went down approximately 15 minutes after I received a response from SCEE on the matter."
Sony has taken the page in question down, and with any luck is fixing the exploit.
Eurogamer has contacted Sony for comment.
UPDATE 2: Web based PSN login / Password recovery is now down for maintenance, hopefully as a result of our contact with SCEE. And more importantly, hopefully to fix the security issue.
UPDATE 3: To clarify the situation, we had confirmed ourselves the method used last night, and contacted SCEE, SCEE have acted upon this information, we felt the information previously provided in our tweets and this article may have been a little too revealing to the vulnerability, thus we “dumbed down” the explanation of the security hole. We have provided SCEE with a detailed description of the security hole.
While it’s unclear at this time if they will actually patch the flaw while they have the system taken down, I can also confirm that the system went down approximately 15 minutes after I received a response from SCEE on the matter.
We for rather obvious reasons do not want to elaborate further on the exact details of the exploit, on the off chance that when the web based interface for PSN is restored the exploit has not been patched.
UPDATE 4: Last update on the topic most likely, i notice a lot of people are saying that we should not have posted this information and simply contacted Sony, and you’re right in thinking this, however we contacted SCEE as soon as we had confirmed that the exploit was in fact real, the problem was that at the time there was a good 8-9 hour stretch where SCEE would not see our messages and given the rate at which the exploit method was spreading in the dark corners of the internet, we felt as though we needed to publicise the exploit advising users to change the emails used for their PSN accounts to secure them until Sony could patch the security hole.
Originally we posted rough details on how the exploit operated, to give further evidence to users that it was a valid reason for them to change their passwords, as with most news like this on the internet, people tend not to believe something until hoards of users have been affected, we posted an article on N4G advising PSN users to switch their email addresses which was promptly reported as spam/lame/fake by several users who refused to believe the news due to our site just being a small news outlet.
All along our main priority and focus has been to assist Sony and PSN users in keeping their accounts safe. If the current downtime for the web based forms results in the exploit being patched then our job is done and the potential thieft of countless user accounts has been nipped in the bud as early as humanly possible.
Thank you to everyone that has taken our warnings seriously and acted upon it, and to SCEE for their swift response to the matter.
UPDATE 5: Okay, due to the email response I felt i should answer some general common questions regarding the topic.
Q. If I already reset my password am I safe?
A. The exploit was possible on any account the email and date of birth was known for, regardless of if the password was changed or not, or what region the account was tied to.
Q. What if they don’t know my Date of Birth or Email account?
A. Then the average user would not be able to take your account, however due to the database being illegally accessed in April, it’s safe to assume that someone, somewhere, has access to a large number of users details, which include date of birth and email addresses, this alone should be reason enough to change your email.
Q. Are you sure this is real?
A. Yes, it was demonstrated to one of our empty accounts, then we were able to repeat the process ourselves after figuring out the method, this was additionally confirmed when a twitter user provided us with his data and requested that we change his password as proof.
We have since emailed him his new password, and no other data on his account was changed.
Q. Can Sony fix it?
A. Shortly after containing SCEE, the online forms connected to login and password recovery for the PlayStation and other linked networks was shut down and placed in a maintenance mode, I can only assume this is a direct response to our detailed reports to SCEE, with that said, I assume that when services resume the exploit will be patched and everyone’s data once again safe.
Q. If Sony fixes the hole should I worry?
A. I would suggest that everyone, regardless of if they have been affected or not, create a new password and change their account email to one they do not use anywhere else, and will not be sharing with anyone else just for additional security.
Q. Will you give us more details on the exploit?
A. Until we have confirmed that the security hole has been patched we will not release further details on how and why the exploit was possible.
UPDATE 3: To clarify the situation, we had confirmed ourselves the method used last night, and contacted SCEE, SCEE have acted upon this information, we felt the information previously provided in our tweets and this article may have been a little too revealing to the vulnerability, thus we “dumbed down” the explanation of the security hole. We have provided SCEE with a detailed description of the security hole.
While it’s unclear at this time if they will actually patch the flaw while they have the system taken down, I can also confirm that the system went down approximately 15 minutes after I received a response from SCEE on the matter.
We for rather obvious reasons do not want to elaborate further on the exact details of the exploit, on the off chance that when the web based interface for PSN is restored the exploit has not been patched.
UPDATE 4: Last update on the topic most likely, i notice a lot of people are saying that we should not have posted this information and simply contacted Sony, and you’re right in thinking this, however we contacted SCEE as soon as we had confirmed that the exploit was in fact real, the problem was that at the time there was a good 8-9 hour stretch where SCEE would not see our messages and given the rate at which the exploit method was spreading in the dark corners of the internet, we felt as though we needed to publicise the exploit advising users to change the emails used for their PSN accounts to secure them until Sony could patch the security hole.
Originally we posted rough details on how the exploit operated, to give further evidence to users that it was a valid reason for them to change their passwords, as with most news like this on the internet, people tend not to believe something until hoards of users have been affected, we posted an article on N4G advising PSN users to switch their email addresses which was promptly reported as spam/lame/fake by several users who refused to believe the news due to our site just being a small news outlet.
All along our main priority and focus has been to assist Sony and PSN users in keeping their accounts safe. If the current downtime for the web based forms results in the exploit being patched then our job is done and the potential thieft of countless user accounts has been nipped in the bud as early as humanly possible.
Thank you to everyone that has taken our warnings seriously and acted upon it, and to SCEE for their swift response to the matter.
UPDATE 5: Okay, due to the email response I felt i should answer some general common questions regarding the topic.
Q. If I already reset my password am I safe?
A. The exploit was possible on any account the email and date of birth was known for, regardless of if the password was changed or not, or what region the account was tied to.
Q. What if they don’t know my Date of Birth or Email account?
A. Then the average user would not be able to take your account, however due to the database being illegally accessed in April, it’s safe to assume that someone, somewhere, has access to a large number of users details, which include date of birth and email addresses, this alone should be reason enough to change your email.
Q. Are you sure this is real?
A. Yes, it was demonstrated to one of our empty accounts, then we were able to repeat the process ourselves after figuring out the method, this was additionally confirmed when a twitter user provided us with his data and requested that we change his password as proof.
We have since emailed him his new password, and no other data on his account was changed.
Q. Can Sony fix it?
A. Shortly after containing SCEE, the online forms connected to login and password recovery for the PlayStation and other linked networks was shut down and placed in a maintenance mode, I can only assume this is a direct response to our detailed reports to SCEE, with that said, I assume that when services resume the exploit will be patched and everyone’s data once again safe.
Q. If Sony fixes the hole should I worry?
A. I would suggest that everyone, regardless of if they have been affected or not, create a new password and change their account email to one they do not use anywhere else, and will not be sharing with anyone else just for additional security.
Q. Will you give us more details on the exploit?
A. Until we have confirmed that the security hole has been patched we will not release further details on how and why the exploit was possible.
Sources: EuroGamer.Net
Nyleveia.com
No comments:
Post a Comment