Four days after the PlayStation Network reopened, Sony has taken down login and password recovery pages for the service following reports they contained a serious flaw that was actively exploited to hijack user accounts.
The vulnerability, which was first reported by UK-based gaming news site Nyleveia.com, required only that an attacker know the date of birth and email address associated with a targeted user's account, Daniel Pilkington, the site's founder, told The Register. He said he observed internet chat relay discussions that showed a small number of people exploiting the flaw “to take control of an unknown number of accounts.”
“It had the potential to be used maliciously, but we think Sony acted soon enough,” Pilkington said.
Once Sony disabled the login pages, the attacks were no longer possible, he explained.
After this article went live, the company published a blog post that said:
"We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed."
Pilkington said he stood by his account. Sony didn't elaborate on the URL exploit or say when the web-based pages would be restored. Password reset features that use the PlayStation console continue to work normally.
The blunder raises new doubts about Sony's ability to secure the PlayStation Network just as the company is trying to regain the confidence of dubious government officials and its 77 million account holders. Sony took down the service on April 20, following the discovery that core parts of its network had suffered a criminal intrusion that stole names, user names, passwords, birth dates, addresses, and other sensitive details of all its users. Company executives have said they can't rule out the possibility that credit card data was also taken.
Pilkington said he was initially skeptical of the vulnerability claims until one of the participants in the IRC chat demonstrated the attack on a test account Nyleveia had set up.
“The exploit was possible on any account the email and date of birth was known for, regardless of if the password was changed or not, or what region the account was tied to,” the website reported. “It was demonstrated to one of our empty accounts, then we were able to repeat the process ourselves after figuring out the method. This was additionally confirmed when a Twitter user provided us with his data and requested that we change his password as proof.”
Pilkington said he emailed the details to a Sony public relations official, and the login pages were disabled about 15 minutes after a representative sent a response.
Pilkington described the exploit process this way:
The exploit involved the bypass of a digital token system that Sony used when users reset their PSN password. Attackers could carry out the attack by visiting https://store.playstation.com/accounts/reset/resetPassword.action?token and then, in a separate browser tab, opening a different page on us.playstation.com and following Sony's reset procedure, which required only the date of birth and email address associated with the account.
The attacker would then return to the original tab and, armed with the browser cookie just issued by Sony's servers, complete an image verification on the page. The attacker would then proceed to a scree allowing him to change the victim's password.
“The page https://store.playstation.com/accounts/reset/resetPassword.action?token, acts as though you had clicked the unique link sent to you via Sony for completing the second page's password reset,” Pilkington said during a discussion over instant message. He said it's “highly unlikely” the exploit technique was discovered until Tuesday evening.
Sony has yet to issue any confirmation of the flaw, which Pilkington said has affected PSN users since Monday, when it was reopened following 24 days of continuous outage. On the company's European blog it said only that PSN sign-in services were down for PlayStation.com, PlayStation forums, the PlayStation blog, and complementary services including Qriocity.com, Music Unlimited via web browsers, and all PlayStation game title websites.
“Unfortunately this also means that those who are still trying to change their password password via Playstation.com or Qriocity.com will be unable to do so for the time being,” the Sony blog said. “This is due to essential maintenance and at present it is unclear how long this will take.”
Sony is requiring all PSN users to change their password before they can use the reopened service. The removal of the reset webpages means users for the time being can reset their pass phrases only through their PlayStation consoles, which remain unaffected by the outage.
The PSN was restored to most of the world but has remained unavailable in Japan because of doubts that country's government had about its security. ®
This article was updated to add details Sony subsequently published on its blog.