Yesterday, I read some tweets from a guy on Twitter claiming to have found a vulnerability in Sony's password change page that allowed someone to change the password on anyone's PSN account using only the person's email address (just the address, not via accessing the actual account) and date of birth.
That person reported it to Sony and also wrote an article about it here: -
Nyleveia - Sony » Warning All PSN Users: Accounts are still not safe.
He claimed that he'd seen the vulnerability in action and he was convinced it was real, so he passed the information on to Sony.
Another user made a comment about this vulnerability on Sony's blog and a member of the community team posted this shortly after: -
http://www.neogaf.com/forum/showthread.php?t=430574
The password change page on Sony's site is now down for maintenance and a recent tweet from Nyleveia to Sony says "thank you for the speedy response guys" so there is now strong evidence to suggest that this vulnerability is true.
Sony really need to get their ****ing act together! They can talk up their new security as much as they like, but this is getting beyond a joke now.
EDIT - Now being reported on Eurogamer: -
http://www.eurogamer.net/articles/2011-05-18-sonys-psn-password-page-hacked
That person reported it to Sony and also wrote an article about it here: -
Nyleveia - Sony » Warning All PSN Users: Accounts are still not safe.
He claimed that he'd seen the vulnerability in action and he was convinced it was real, so he passed the information on to Sony.
Another user made a comment about this vulnerability on Sony's blog and a member of the community team posted this shortly after: -
This was brought up on NeoGAF and many people, quite rightly, wanted more evidence before they would believe it. A NeoGAF user called Metalmurphy tweeted Nyleveia, the author of the article linked to above, and said "here's my email address and date of birth, now hack my account as proof", providing him with just his email address and date of birth. He heard nothing in response until today, when he received 2 emails from Sony. The first email was asking him to confirm a password change by clicking a link. The second email, received a few seconds later, was confirming that his password had been changed. He has now started a thread on NeoGAF providing evidence: -Hey Guys.
Please note that PSN sign in is currently unavailable for the following services:
PlayStation.com
PlayStation forums
PlayStation Blog
PC CAM
Qriocity.com
Music Unlimited via the web client
All PlayStation game title websites
Unfortunately this also means that those who are still trying to change their password password via Playstation.com or Qriocity.com will be unable to do so for the time being. This is due to essential maintenance and at present it is unclear how long this will take.
http://www.neogaf.com/forum/showthread.php?t=430574
The password change page on Sony's site is now down for maintenance and a recent tweet from Nyleveia to Sony says "thank you for the speedy response guys" so there is now strong evidence to suggest that this vulnerability is true.
Sony really need to get their ****ing act together! They can talk up their new security as much as they like, but this is getting beyond a joke now.
EDIT - Now being reported on Eurogamer: -
http://www.eurogamer.net/articles/2011-05-18-sonys-psn-password-page-hacked
Last edited: