Sony PlayStation Network logins exploited again

By on May 18, 2011, 12:00 PM

Update: Sony has fixed the flaw. "We temporarily took down the PSN and Qriocity password reset page," a Sony spokesperson said in a statement. "Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed. Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up."

Sony's PlayStation Network (PSN) password reset system has suffered from an exploit that allows attackers to change your password using only your PSN account email and your date of birth. This information was compromised in the original PSN hack on April 20, 2011, so whoever has the data from Sony could in theory reset any of the captured users accounts simply by entering the details they stole.

Nyleveia was first contacted about the security breach by an unknown individual. The site at first believed it was a poor hoax designed only to stir the community into another frenzy, but decided to create a test account to verify the claims. After giving the individual the account email and the date of birth used for the account, a minute later the contact had successfully managed to change the password. It's important to emphasize that the person did not know the old password. Once the security hole was confirmed, Sony was given a detailed description of how it works.

After being notified of the flaw, Sony took down the PSN sign-in page for a number of its websites just 15 minutes after responding to the warning. This means the website users are directed to by password reset emails is now down (as shown below). This "maintenance" doesn't affect PSN on consoles, only the website users are trying to access to change their password and thus get back onto PSN.

"Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being," a Sony spokesperson said in a statement. "This is due to essential maintenance and at present it is unclear how long this will take. In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information."

The exploit in question works despite Sony forcing you to change their password when you first reconnect to PSN. An attacker can change your password using only your account's email and date of birth, so you should create a new email address that you will not use anywhere else, and switch your PSN account to use this new email.

Unfortunately, you won't be able to do this until Sony puts the webpage in question back up. Let's hope that Sony manages to fix the exploit in a timely manner. Further details on the security flaw will not be released until Sony patches it.

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.