Error Code (aka The Great PSN Easter Outage of 2011) - Part 1

Sony's Password Reset System Has Been Compromised

In case you were betting on how long it was going to take for something to go wrong on the PSN after it began to come back online last weekend, those of you who bet on "five days or less" win the door prize. Congratulations: you get a free copy of inFamous, and your password stolen again.

Late last night, Nyleveia discovered--and users on NeoGAF have verified--that Sony's online password reset system--specifically, the web-based version on sites such as PlayStation.com and Qriocity.com--has a rather nasty exploit in it that allows any would-be hacker to simply reset your account password provided they know your PSN account email and your date of birth. That's it. Entering that info apparently lets anyone who knows the exploit reset your password and access your account. On the plus side, you'll get an email sent to you notifying you that your password has been reset. So that's awesome.

Not long after this was reported, Sony took all of its web-based login systems down, and as of this writing, there is no specific update as to how long this fix will take to put into place. The official SCEE Twitter account noted this morning that "this maintenance doesn't affect PSN on consoles, only the website you click through to from the password change email." So, to clarify, you can still log in on your console and play games online via PSN. You just can't use any of the web-based login sites until Sony fixes this exploit.

Nyleveia suggested that users create an entirely new email address for their PSN accounts, one not associated with any other online accounts in order to be absolutely safe. Because that's where we're at now. We're creating all new accounts just to be able to safely log into the PlayStation Network. I really hate the Internet sometimes.
Click to expand...
 
Sony is having some more issues, this time a password hack where your password can be changed remotely by whomever wants!

I want to make this clear to ALL PSN users. Despite the methods currently employed to force a password change when you first reconnect to the PlayStation network, your accounts still remain unsafe.
A new hack is currently doing the rounds in dark corners of the internet that allows the attacker the ability to change your password using only your account’s email and date of birth.

It has been proven to me through direct demonstration on a test account, so I am without any shadow of a doubt that this is real.

I would suggest that you secure your accounts now by creating a completely new email that you will not use ANYWHERE ELSE, and switching your PSN account to use this new email. You risk having your account stolen, when this hack becomes more public, if you do not make sure that your PSN account’s email is one that cannot be affiliated with or otherwise traced to you.

While we originally assumed this was a poor hoax designed only to stir the community into another frenzy, the individual who we are in contact with requested just two pieces of information from us: this being an account email and the date of birth used for that account. We promptly created a new account via us.playstation.com and provided the individual with the email address and date of birth used.

Roughly a minute later they requested that we try to login with the password we used for the account (which they did not know at any point), and sure enough, we were presented with an invalid username and/or password prompt.

In addition to this, within a few minutes we received an email from Sony stating the following:

This email confirms that your PlayStation(R)Network password account has been changed successfully.

If you did not change your password…
This email has been sent to you because the password for the relevant PlayStation(R)Network account has been changed.
If you did not change your password, please contact Customer Support at the following address:

[email protected]

The PlayStation(R)Network Team

While we will not reveal specific details regarding how the exploit is performed for obvious reasons, we can say that the exploit involves a vulnerability in the password reset form currently implemented, not properly verifying tokens.

UPDATE: In the interest of sidestepping the naysayers and getting the warning out there, if someone working for a larger, more well known site (Kotaku, Destructoid, IGN, etc) wants to contact me for a live demonstration that this exploit is the real deal, you can do so at [email protected].

UPDATE 2: Web based PSN login / Password recovery is now down for maintenance, hopefully as a result of our contact with SCEE. And more importantly, hopefully to fix the security issue.

UPDATE 3: To clarify the situation, we had confirmed ourselves the method used last night, and contacted SCEE, SCEE have acted upon this information, we felt the information previously provided in our tweets and this article may have been a little too revealing to the vulnerability, thus we “dumbed down” the explanation of the security hole. We have provided SCEE with a detailed description of the security hole.
While it’s unclear at this time if they will actually patch the flaw while they have the system taken down, I can also confirm that the system went down approximately 15 minutes after I received a response from SCEE on the matter.

We for rather obvious reasons do not want to elaborate further on the exact details of the exploit, on the off chance that when the web based interface for PSN is restored the exploit has not been patched.

UPDATE 4: Last update on the topic most likely, i notice a lot of people are saying that we should not have posted this information and simply contacted Sony, and you’re right in thinking this, however we contacted SCEE as soon as we had confirmed that the exploit was in fact real, the problem was that at the time there was a good 8-9 hour stretch where SCEE would not see our messages and given the rate at which the exploit method was spreading in the dark corners of the internet, we felt as though we needed to publicise the exploit advising users to change the emails used for their PSN accounts to secure them until Sony could patch the security hole.

Originally we posted rough details on how the exploit operated, to give further evidence to users that it was a valid reason for them to change their passwords, as with most news like this on the internet, people tend not to believe something until hoards of users have been affected, we posted an article on N4G advising PSN users to switch their email addresses which was promptly reported as spam/lame/fake by several users who refused to believe the news due to our site just being a small news outlet.

All along our main priority and focus has been to assist Sony and PSN users in keeping their accounts safe. If the current downtime for the web based forms results in the exploit being patched then our job is done and the potential thieft of countless user accounts has been nipped in the bud as early as humanly possible.

Thank you to everyone that has taken our warnings seriously and acted upon it, and to SCEE for their swift response to the matter.
Click to expand...

http://sony.nyleveia.com/2011/05/17/warning-all-psn-users-your-accounts-are-still-not-safe/
 
Whoops just saw that Soapy already posted the majority of the info.

But still, yeesh, Sony's security has more holes than Mr. Potato Head. :o
 
Great. Good thing I got plenty of spare email addresses lying around.
 
Wow the media pounced on this one. lol.

Basically, the hacker would have needed your DOB and your e-mail account to change your password. If you have not received an e-mail telling you your password has been reset, then you have nothing to worry about. All the sites have been taken down and the exploit is being fixed.

Edit: From the Blog.

We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.
Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up.
Click to expand...
http://blog.us.playstation.com/2011/05/18/update-on-psn-password-reset-process/
 
Last edited:
I know a lot of you guys and some friends of mine are having issues with this and are rightly pissed, but I can't help but laugh at this whole scenario. It's like some kind of parody.
 
Well, that's cool that you find potential personal info theft so funny :/
 
The entire thing is just unreal, I may just be desensitized to it, is all.
 
Yeah, KAL the media completely blew this one up. Some MCV dude started freaking out on Twitter straight away. Just came across as bit of an idiot.
 
Anyone reveiced e-mail?
 
Last edited:
This was posted by Brainiac 8 over in the L.A. Noire thread:

Brainiac 8 said:
This is...something:

Rockstar Support
posted this on May-17 18:21

Question: My PS3 turns itself off when I am playing L.A. Noire. What can I do?

Answer: We have received some reports of PS3s overheating while playing L.A. Noire or beeping three times before shutting down/turning themselves off, mostly on older 60GB and 80GB fat models.

Primary reports seem to be that updating to firmware 3.61 will cause PlayStations to overheat. There have been various reports of this on a few different games now, all reporting their PS3s turning off or "Red Lighting" after having installed 3.61. This can range from games randomly freezing to PS3s turning off anywhere between 30 mins use to 2 hours. We have confirmed locally that multiple games (Rockstar and non-Rockstar) overheat or freeze only when 3.61 is installed.

At this time we are recommending contacting Sony directly to report the overheating issue. However, this is not the end of our support; we are continuing to test L.A. Noire on all firmware versions and hardware models to isolate the issues and see what can be done. As always, we will update this article as soon as we have updates.
Click to expand...
http://support.rockstargames.com/entries/20127883-ps3s-shutting-themselves-off-while-playing-l-a-noire
Click to expand...
 
I swear that Sony just can't catch a break right now. It's almost becoming a parody.
 
The funny thing is, the support team gathered that info from the EU Playstation message board. Hardly proof of the FW causing an issue. That's pretty sucky support.
 
Well, in they're defense...they did say Reports and not proof.

edit: Well, they said that they confirmed that in North America that multiple games have been freezing post FW update.
 
Last edited:
The point is that they are Customer Support. They have the responsibility to give accurate information to help solve issues. They should never go to a message board and also use google to find a solution. They should have said that they are looking into the issue. They should have worked with Sony or do their own testing. It was just lazy and makes them look bad.
 
But, they said they confirmed it...so wouldn't that indicate some testing? I mean, they don't exactly explain anything other than that. But, I would assume when they say they've confirmed it, that they've done more than browse forums.

I would hope so, atleast. They did say they will "continue to test".
 
Two-Face said:
Anyone reveiced e-mail?
Click to expand...

I did, but that's because I actually changed my email the day the PSN came back up when prompted. I've been playing Xenogears again from the PSN the last week, and while at it checking if the PSN had come back up when starting my PS3 up. Just read that an hour ago and checked my email account. After I saw that, just in case, I changed my accounts email, and password again.
 
I didn't, but I didn't wait around to find out. I just switched emails... No big deal.
 
ChrisBaleBatman said:
But, they said they confirmed it...so wouldn't that indicate some testing? I mean, they don't exactly explain anything other than that. But, I would assume when they say they've confirmed it, that they've done more than browse forums.

I would hope so, atleast. They did say they will "continue to test".
Click to expand...

Well, they removed the link/Q&A. So maybe they did mess up. Who knows.

You do not have access to this topic

It may have been deleted.
Click to expand...
 
Last edited:
The ironic thing is that I can't remember what I changed my password to, so I can't get in and change my email. Hopefully they have the link back up soon.
 
You must log in or register to reply here.

Similar threads

D
  • Locked
Error Code (aka The Great PSN Easter Outage of 2011)
39 40 41
Replies
1K
Views
84K
Thread Manager
T
T
The Official PSN Store Update Thread
30 31 32
Replies
795
Views
207K
psylockolussus
psylockolussus
T
  • Poll Poll
Resistance: The Fall of Man (threads Merged) - Part 1
Replies
2
Views
2K
Havok83
Havok83
T
  • Locked
The Official PS4 Thread - Part 1
39 40 41
Replies
1K
Views
32K
Thread Manager
T
T
  • Locked
Spider-Man (PS4) - Part 1
39 40 41
Replies
1K
Views
138K
Thread Manager
T

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)

Staff online

Members online

Total: 2,760 (members: 30, guests: 2,730)

Latest posts

Forum statistics

Threads
202,306
Messages
22,082,775
Members
45,883
Latest member
Gbiopobing

Share this page

Back
Top
monitoring_string = "afb8e5d7348ab9e99f73cba908f10802"