• New Patreon Tier and Early Access Content available. If you would like to support AVForums, we now have a new Patreon Tier which gives you access to selected news, reviews and articles before they are available to the public. Read more.

PSN password change webpage vulnerability

DJSigma

Banned
Yesterday, I read some tweets from a guy on Twitter claiming to have found a vulnerability in Sony's password change page that allowed someone to change the password on anyone's PSN account using only the person's email address (just the address, not via accessing the actual account) and date of birth.

That person reported it to Sony and also wrote an article about it here: -

Nyleveia - Sony » Warning All PSN Users: Accounts are still not safe.

He claimed that he'd seen the vulnerability in action and he was convinced it was real, so he passed the information on to Sony.

Another user made a comment about this vulnerability on Sony's blog and a member of the community team posted this shortly after: -

Hey Guys.

Please note that PSN sign in is currently unavailable for the following services:
PlayStation.com
PlayStation forums
PlayStation Blog
PC CAM
Qriocity.com
Music Unlimited via the web client
All PlayStation game title websites

Unfortunately this also means that those who are still trying to change their password password via Playstation.com or Qriocity.com will be unable to do so for the time being. This is due to essential maintenance and at present it is unclear how long this will take.
This was brought up on NeoGAF and many people, quite rightly, wanted more evidence before they would believe it. A NeoGAF user called Metalmurphy tweeted Nyleveia, the author of the article linked to above, and said "here's my email address and date of birth, now hack my account as proof", providing him with just his email address and date of birth. He heard nothing in response until today, when he received 2 emails from Sony. The first email was asking him to confirm a password change by clicking a link. The second email, received a few seconds later, was confirming that his password had been changed. He has now started a thread on NeoGAF providing evidence: -

http://www.neogaf.com/forum/showthread.php?t=430574

The password change page on Sony's site is now down for maintenance and a recent tweet from Nyleveia to Sony says "thank you for the speedy response guys" so there is now strong evidence to suggest that this vulnerability is true.

Sony really need to get their ****ing act together! They can talk up their new security as much as they like, but this is getting beyond a joke now.

EDIT - Now being reported on Eurogamer: -

http://www.eurogamer.net/articles/2011-05-18-sonys-psn-password-page-hacked
 
Last edited:

Fen Star

Prominent Member
Well i changed the email when i changed my password and if my account does get compromised becuase of this then i will keep my PS3 becuase of the excellent exclusives but it will be offline. I refuse to set up another email/password i will use my 360 for online gaming if i want to, i guess we'll wait and see thanks for the heads up DJ...:smashin:
 

DT53

Established Member
I'll copy what I wrote from another forum.

I originally got signed out of MW2 with this message;

"Someone with the same PSN id as you has logged in".

I then got booted out of the game and my PSN signed out. I then signed back in no problems, I have auto sign in on so didn't pay attention to the amounts of characters in my password. I then saw this thread so went to change my email address.

It now says "password is not valid". I know the password is correct because I made a note of it.

I then signed my PSN out and noticed on my password 3 more characters have appeared. I never have passwords that long. I can still sign in thanks to auto sign in but can't do anything within account management.

it's probably not linked but I have contacted Sony just to be on the safe side.
 

DJSigma

Banned
It's a good job that someone reported this to Sony, because it also allowed the person doing the exploit to access the target's billing information.

The exploit was simply a case of opening a couple of browser tabs, navigating to certain Sony pages and trying to change the password using the person's email address and DOB. This causes a security token to appear in one of the URLs, which you just copy and paste over to the other URL and then it accepts the password change, as it's essentially the equivalent of the user clicking the confirmation link sent to them in the password change request email. :facepalm:
 

golden phoenix

Distinguished Member
Now confirmed by Sony who say it's been fixed: -

New Exploit Puts PSN Accounts at Risk, Sony Says it's Fixed

that is very disappointing..when i first logged into my account again my credit card details were still in there!... you'd think they would have deleted them (i removed them straight away)

also there is no need to store my details anywhere at any time. although its a pain i would quite happily enter them every time, for improved security.

obviously sony havent completed there homework, on something that is so simple as improved password system and access (hell, when i log on at my bank i have at least 5 sets of passwords to complete. even something as simple as mothers maiden name, fav drink,dogs name, fav song, would be better than this?...even before we get to there newly restored supposedly secure servers!:thumbsdow
 
Last edited:
Just more stuff to know about you when your details get stolen :)

Now one time responses to SMS' or a key card like some bank's do...that would be progress, heck, I'd even pay a fiver for it!

that is very disappointing..when i first logged into my account again my credit card details were still in there!... you'd think they would have deleted them (i removed them straight away)

also there is no need to store my details anywhere at any time. although its a pain i would quite happily enter them every time, for improved security.

obviously sony havent completed there homework, on something that is so simple as improved password system and access (hell, when i log on at my bank i have at least 5 sets of passwords to complete. even something as simple as mothers maiden name, fav drink,dogs name, fav song, would be better than this?...even before we get to there newly restored supposedly secure servers!:thumbsdow
 

The latest video from AVForums

Is 8K TV dead? Philips OLED+907, Pioneer LX505 AVR plus B&W 700 S3 Reviews & Visit + AV/HiFi News
Subscribe to our YouTube channel
Support AVForums with Patreon

Top Bottom