A new wave of “omgzzz Sony’s been hacked again” outcries coming out this morning. Well…no - Sony was not hackedagain. However, Sony did allow users' accounts to be compromised again via a URL exploit. According to Kotaku, here is the latest exploit (which can no longer be used as Sony shut down the relevant services):
Navigate to : https://store.playstation.com/accounts/reset/resetPassword.action?token (this is normally, via email, https://store.playstation.com/accounts/reset/resetPassword.action?token=YYYYYYYYYYYYYYYYYYYYYYYY with the y’s being a unique token) - do not enter the code at this point.
Open a new tab in firefox, and go to fr.playstation.com (other pages will work too most likely), and click Login (Connexion)
Click Recover password
Enter the email and date of birth of the target account
Click continue, then on the confirmation page, click “Reset using E-mail”
Switch back to the original tab, and enter the code, then click continue
You will now be asked to enter a new password for the target account
In my opinion this wouldn’t really be so bad if this was a standalone incident - suddenly this exploit pops up, relevant password reset services are taken down the same day to fix any holes. Bad, but nothing too major as users don’t actually lose control of their account permanently. However, this follows on the heels of Sony’s complete revamp of the PSN’s network security after a major hacking. This would be hugely embarrassing for Sony, not to mention incompetent on their part.
My question is: was this exploit always possible, even before the security revamp? If someone knew their victim’s email address and date of birth, could they have done this all along since the system was put in place? And if so, why is this only coming out now - more specifically, why is Sony only finding out about this now?
I wonder what the problem was. Did Sony just rush through its work on the PSN network’s security to the point of leaving a gaping flaw? How did they not put two and two together and realize that they’re getting users to reset their passwords using the details that were just stolen something like a month ago?
Needless to say people are angry. I would be angry, too. Like I said, probably not if this was a standalone incident (though I’d still be pretty peeved), but in this situation - yup, anger is the right emotion for it.
I feel pretty bad for the devs working on this whole thing. I don’t know whose fault this was, but they must be under so much pressure right now.
Do you think people are making too big a deal out of this Sony URL exploit? Do you know of anyone personally who has been affected by the exploit?