Security in the cloud is an evolving process based on solving for current understandings of potential attacks against a system and managing the risk for customers. Today it was discovered that an exploit in the PlayStation Network’s password reset service allows attackers to change your password with only the knowledge of your e-mail and address and date of birth.
Recently, Sony’s PlayStation Network suffered a massive intrusion exposed 24.6 million user accounts (across PSN and SOE). Some of the secret information exposed about PSN users happened to be exactly what is needed to make the above exploit work for a hacker. The event shut the entire network down for almost three weeks as Sony worked to fix the underlying security flaws that permitted the hackers entry.
This new problem hits the beleaguered PSN right on the cusp of its return to viable service. The presence of the exploit was first published by Nylevia and quickly corroborated by Eurogamer. Sony quickly responded by knocking out the password reset functionality.
“Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being,” Sony said. “This is due to essential maintenance and at present it is unclear how long this will take.
“In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information.”
The fix from Sony will probably involve some new mechanism for authentication that involves having the user interact directly with the e-mail rather than simply informing them that their account had been changed. Current e-mails only inform, they don’t require the user to authenticate that they requested the change. Most password reset systems e-mail the new password to the primary e-mail address rolled into the account (with the expectation if an attacker has compromised a customer’s e-mail address there are bigger problems.)
Nylevia has posted a long Q&A about the current ramifications of the exploit and how people can make themselves more safe:
Q. If I already reset my password am I safe?
A. The exploit was possible on any account the email and date of birth was known for, regardless of if the password was changed or not, or what region the account was tied to.
Q. What if they don’t know my Date of Birth or Email account?
A. Then the average user would not be able to take your account, however due to the database being illegally accessed in April, it’s safe to assume that someone, somewhere, has access to a large number of users details, which include date of birth and email addresses, this alone should be reason enough to change your email.
Q. Are you sure this is real?
A. Yes, it was demonstrated to one of our empty accounts, then we were able to repeat the process ourselves after figuring out the method, this was additionally confirmed when a twitter user provided us with his data and requested that we change his password as proof.
We have since emailed him his new password, and no other data on his account was changed.
Q. Can Sony fix it?
A. Shortly after containing SCEE, the online forms connected to login and password recovery for the PlayStation and other linked networks was shut down and placed in a maintenance mode, I can only assume this is a direct response to our detailed reports to SCEE, with that said, I assume that when services resume the exploit will be patched and everyone’s data once again safe.
Q. If Sony fixes the hole should I worry?
A. I would suggest that everyone, regardless of if they have been affected or not, create a new password and change their account email to one they do not use anywhere else, and will not be sharing with anyone else just for additional security.
Q. Will you give us more details on the exploit?
A. Until we have confirmed that the security hole has been patched we will not release further details on how and why the exploit was possible.