Forgot password
Enter the email address you used when you joined and we'll send you instructions to reset your password.
If you used Apple or Google to create your account, this process will create a password for your existing account.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Reset password instructions sent. If you have an account with us, you will receive an email within a few minutes.
Something went wrong. Try again or contact support if the problem persists.
Category:
News

[UPDATE] PSN Password Reset Vulnerable to Exploit

Image of Tom Goldman Legacy Author
Tom Goldman Legacy Author
|

Published: May 18, 2011 08:56 pm

This article is over 13 years old and may contain outdated information
image

According to reports, Sony websites meant to help PlayStation Network users secure their accounts were vulnerable to a simple exploit.

Sony finally brought the PlayStation Network back online this week, in the process releasing a firmware update that required users to reset their passwords just to be safe. Sadly, it looks like Sony can’t catch a break, as some of its websites used to help reset those passwords were also vulnerable to an exploit.

The exploit apparently allowed anyone with a PSN user’s date of birth and email address to change their password without confirmation. This was reportedly information that could have been leaked in the attack on Sony.

Nyleveia first reported on the vulnerability, and it was confirmed by a poster on NeoGAF. Sony made PSN sign-in and password change unavailable on various websites such as PlayStation.com and Qriocity.com around 15 minutes after Nyleveia contacted the company, saying: “This is due to essential maintenance and at present it is unclear how long this will take.” Sony is likely fixing the issue.

Thankfully, even if someone tried to change a user’s password using this exploit the system would send a confirmation email, though the link inside did not need to be clicked. If you didn’t get this email, in addition to an email confirmation about a password change, you’re safe. Changing one’s password through a PlayStation 3 console was not affected by the vulnerability.

This exploit really makes you wonder. Are these kinds of things issues with every company, and Sony merely has a magnifying glass upon it, or is Sony dropping the ball somewhere? Sony may have been the victim of a “highly sophisticated” attack, but for the password reset system to be vulnerable in such a simple way is really a “WTF” moment in light of the recent PSN debacle.

*UPDATE* To clarify, Sony’s Patrick Seybold explains on the PlayStation Blog that there was no hacking or hackers involved here. “We temporarily took down the PSN and Qriocity password reset page,” he writes. “Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.”

He recommends that anyone still needing to change their password do so through a PS3 console. It can be done through web-related means once the websites go back up.

Source: Eurogamer

Recommended Videos
The Escapist is supported by our audience. When you purchase through links on our site, we may earn a small affiliate commission. Learn more about our Affiliate Policy
related content
Author
Image of Tom Goldman Legacy Author
Tom Goldman Legacy Author