Sony has discovered and then patched a new dangerous security flaw with its Playstation Network
Sony has uncovered another security flaw with its PlayStation Network and Qriocity music and video service. However it has fixed the vulnerability that could have allowed hackers to gain control of user accounts.
The latest security hole was found on the webpage that users were using to reset passwords for their PSN and Qriocity accounts from their PCs, according to a 18 May report in The Wall Street Journal. After restoring the PSN network after nearly a month offline, Sony required users to first update the firmware on their PlayStation console and then to reset their account password.
The security hole on the password reset page allowed anyone with the account holder’s date of birth and email address to reset the passwords. Considering that Sony said birth dates and email addresses were among the personal information stolen when attackers breached its servers, changing the passwords to gain control of the user accounts is not an unlikely scenario.
Gaming website Nyleveia.com confirmed the exploit actually worked on its website on 17 May. Noting that the instructions for the attack were “doing the rounds” and spreading rapidly, Nyleveia contacted Sony to address the issue.
The password reset page for the PlayStation Network remains down, even though the flaw has been fixed, according to Nick Caplin, head of communications at Sony Computer Entertainment Europe.
The website will be available “as soon as we bring that site back up,” wrote Caplin.
This should not affect users trying to get back on the PSN, as they can use the PlayStation 3 console to reset their PSN passwords. The problem was only present for users using their own computer to access the page online, a Sony spokesperson told The Wall Street Journal.
Sony discovered that unknown intruders had breached its servers around 16 April and stolen personal information belonging to 77 million individuals with accounts on the PlayStation Network and Qriocity. The company shut down the services without warning on 20 April, and then finally admitted to the breach on 26 April.
It discovered the second data breach affecting an additional 25 million individuals with accounts on Sony Online Entertainment service on 2 May as well as a handful of smaller “obsolete” servers.
Analysts had estimated the breach will wind up costing the company as much as $1 billion (£620m) in remedies, damage to the brand and lost business.
Gene Spafford, a computer science professor at Purdue University, testified at a Congressional hearing on 4 May that Sony did not have a firewall running on PSN servers and that it was running an obsolete version of the Apache web server software.
John Bumgarner, CTO of independent, non-profit research institute United States Cyber-Consequences Unit, uncovered even more security vulnerabilities as recently as 10 May. The latest vulnerabilities included being able to access internal resources, such as security-management tools and other internal applications, on several pages affiliated with Sony.
A Sony spokesman told the Wall Street Journal the vulnerability was a “URL exploit,” which would allow the attacker to trick the reset page by manipulating the page’s address. An attacker who’d hijacked a PSN user account would be able to make purchases on the service with existing funds but would not be able to gain access to customer credit cards, according to Sony.
Perhaps the best way to secure existing accounts now would be by creating a completely new email account that you will not use anywhere else and switching your PSN account to use this new email. PSN users risk having their accounts stolen, when this hack becomes more public, if they do not make sure that their PSN account’s email address can’t be traced to their current PSN credential.
Sony CEO Howard Stringer told The Wall Street Journal that it wasn’t possible to guarantee the security of the company’s video-game network or any other web system in the “bad world” of cyber-crime. Maintaining security is a “never-ending process” and Stringer said he wasn’t sure if anyone could be “100 percent secure.”
Kazuo Hirai, the head of the video game and consumer electronics units at Sony, told The Wall Street Journal that Sony has done everything possible to secure its online systems, and if an attacker still gets through, there are safeguards in place to protect the actual data. Sony said it implemented additional software monitoring and vulnerability testing, increased levels of encryption and put in additional firewalls.