Ben-DutkaIt seems we're not clear of all the hacking idiocy just yet.
Various sources have reported a simple exploit that lets hackers change your password using only your PSN account e-mail and date of birth.
As we all know, that information was compromised when the Network was attacked last month. According to Eurogamer citing Nyleveia.com , Sony has made the PSN sign-in unavailable for several of its websites, including PlayStation.com. For the time being, it's down for maintenance, and Sony issued this statement:
"Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being. This is due to essential maintenance and at present it is unclear how long this will take. In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information."
Sony did make it clear that such maintenance does not affect PSN-enabled consoles; only the website you click through to from the password verification e-mail message. Currently, the recommendation is that you use a new e-mail for your PSN account, as there's no knowing if the hackers – who may have your information – will try to change your password and hijack your account.
We figure Sony will provide some sort of update at some point.
what again…damn those hackers….
This is not a hack. It is only a bi-product of the original hack. Just try telling that to all the Little Chickens that frequent the internet. I expected this much considering that the data that was stolen was personal user information such as emai, DOB, ect….
Last edited by FatherSun on 5/18/2011 12:27:49 PM
Indeed, but the exploit kind of relies on the attacker having access to the registered email account, and not just knowing the email address, does it not? Unless I've misunderstood the reset process, the reset password value is sent via email to the registered email address. So, as long as you have altered the password on that email account, there's essentially no danger at all.
I think that only applies to those who reset utilizing email. I changed my password vous the PS3 only. But I change passwords frequently so I am not worried.
On a related note, I agree with what someone posted on the PSBlog.
Butters360 on May 18th, 2011 at 11:09 am said: Patrick, its high time you as well as Sony start calling out game sites out on their journalistic integrity. There was no hack involved, but go figure EVERY single website is STILL spreadin F.U.D. articles. This is HIGHLY unprofessional. This is serious and we PS3/ PSN users deserve better than this crap.
Sir Stringer kind of went in that direction but there is only so much he can say without backlash and how the internet can twist words. I'm with Sony. All the way.
Last edited by FatherSun on 5/18/2011 2:38:34 PM
Is this the same reason why I can't log into the PSN store?
I want to download my free games
No, the PSN store is still down. Should be up sometime before the end off the month. I'm sure Sony will make a big announcement when its back up
No it wont be back by teh end of teh month because Sony said they wont start on phase 2 (getting the ps store open) until phase 1 is complete (getting psn up EVERYWHERE) and with the japanese government holding back the launch of PSN in japan… if beauacrats are controlling that you can expect another 6 months before PSN is up to their standards/expectations…
So lets hope sony goes back on their word of phase 1 being complete and just get teh store up and running for everyone outside of japan and deal with the japan problem sepertely (wouldnt be the first time sony does the opposite of what they said they would after all right?) Because Im sure theyre not gonan wanna deal with the backlash of their developers losing 6 montshs of revenue because of no PS store.
@duomaxwell007
Nothing to worry about, they will be compensated for the downtime of the PS store, or what ever else they have planned to help them out.
so we can just change the email that is associated with our psn accounts right?
off topic: crysis 2 is 34.99 on amazon today only. deal of the day
If you changed the password on your email account itself, that should be sufficient as I understand the reset process. The email account is necessary because when you request a password reset, the reset value is sent to your registered email address. If someone else knows the password to your email account, there is a problem. If they do not, there is no problem. So, change your password on your email account.
I didn't care for Crysis 2 that much; it seems like it's lacking something. I tried to play it, but I just can't get into it.
I thought Crysis 2 was trash personally, one of my few purchasing regrets this gen.
yea i had no plans of getting crysis 2. just tryin to pass on the sale. i might rent it.
I'm really getting tired of all these news related to hackers. I don't think about hurting Sony, as much as making themselves known
This isn't a hack it's simply the possibility that someone could, with the right information and access to your email account, reset your PSN password.
If I understand the process correctly, an attacker would not only have to have the registered email address, PSN ID and DOB information, but also have access to the email account so that when the reset email is sent, they can pick up the reset value from the email. So unless your email account is compromised, this isn't an issue. Sony have to take the precaution because it's *possible* for the exploit to be used. However given the circumstances, how else did anyone expect to reset their password without a PS3 console to do it on?
So in other words, no one has hacked anything new, this is a precaution taken in response to the vulnerability being reported. If you sit and think about how you handle a password reset, there is only really one way to do it, and that relies on the user having several key pieces of information, as well as sole access to the registered email account. So long as you changed the email account's password after the initial hack this kind of thing should not affect you.
It will only affect those dumb enough not to have changed their email passwords when they read that their information was compromised in the hack back in April.
Quite. Sadly lots of people apparently didn't get the message…
Also it should be pointed out that this is only an issue if your password for psn and mail were equal in the first place. If your mail password always have been different from your psn password (really different, no relation) then you need not change mail password.
Last edited by Beamboom on 5/18/2011 3:01:56 PM
Nevermind, Kraygen already has stated this further down. 🙂
This is starting to piss me off. These damn hackers are ruining our fun. I really want to hurt them right now.
Just remember, everyone; the hackers are on your side, they are doing this to combat the big evil corporate giant that is Sony. Why, if they just let Sony run rampant, sooner than later we would all be slaves to the system and all of our IP addresses would be logged every time we sneezed and squeaked out gas.
What an absolute load of sh!t
I don't consider hackers on our side. I don't like 'em.
Especially one with a god-complex.
hehehehe good one Cove.
So if you change your password, can the hacker come back and change your password again to steal it?
No, not unless they got your new password. Just remember to change both psn and mail password if they were the same.
i don't know. psn is still up, but any negative headlines concern me. i just hope sony remains vigilant. another outage or data breach for sony would be just devastating in terms of consumer confidence. they need to keep from generating any negative headlines in regards to psn. headlines that combine the words psn and exlpoit just aren't good to hear..
Last edited by Excelsior1 on 5/18/2011 1:35:08 PM
Hackers you fail.
Sony via the PS Blog-
"We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.
Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up."
Last edited by bigrailer19 on 5/18/2011 2:14:40 PM
Indeed.
Personally, if I were Sony, I'd send an email to all accounts that have not yet reset their password. the email would go to the registered email account, and if there is no answer within 2-3 days, I'd suspend the account and require the user to go through an enhanced verification process to reset their password. For safety's sake, I'd also reset any CC number associated with the suspended account. That would protect consumers and Sony alike.
@Highlander
Idk about that, that would probably be a little too extreme but I get where you're coming from
Well, the account would be suspended, not deleted. It would still be a valid account, but you'd have to go through the enhanced verification to re-activate the account. No content or PS Wallet amounts would be lost, trophies would be preserved as would all activations of software or video content. So the user loses nothing, so long as they can provide adequate assurance that they are who they say they are, and that *is* their account. By removing CC/Payment card details, Sony protects the consumer against the off chance that someone manages to validate someone else's account.
This is the way I see it:
Sony: whoops hackers just destroyed our services and may have your credit card info, your real name and address, aaand to top it off if you don't respond to this email and go through a long and painful varification process you will not be able to use your account. Have a nice day…idk to me that would be a slap in the face
Or how about this (and before anyone asks, I made this up myself)?
Criminal network hackers recently compromised out network as you may have seen reported in the news media. As communicated via email and our PlayStation Blog, Sony has spent several weeks working around the clock to rebuild PSN security. To maintain user security and prevent unauthorized access, we now require all users to reset their passwords via a secure means. Your password has not yet been reset.
So, we are emailing you as a courtesy reminder to reset your password as soon as possible. We are also informing customers in your situation that we are taking action to protect your data and financial information. Therefore, we are temporarily suspending your account pending a secure password reset. None of your content will be lost, all your trophy and user data is safe.
Out of an abundance of caution, Sony will also remove any credit card data from your account to prevent abuse in the event that a third party fraudulently re-activates your account. We are committed to protecting your data and your account information. Recent attacks on our network have raised awareness of these issues to a new height. We are therefore acting in a corresponding fashion to protect you against possible fraud.
– again, the above is my suggestion of how to communicate such a message, I wrote the message myself, it is *not* from Sony.
Last edited by TheHighlander on 5/18/2011 4:55:56 PM
Found an interesting read.
http://www.escapistmagazine.com/news/view/110136-Hotmail-Users-Accuse-Microsoft-of-Sabotaging-PSN-Revival
I know Microsoft probably isn't linked to this, it very well could be something different.
Conspiracies. :O I love 'em.
Oh, that wouldn't surprise me, Microsoft have done things like that in the past to Yahoo and Google. It's more in the way of gamesmanship than a direct attack since it's possible it's simply an oversight on a spam filter….or automatic traffic shaping because PSN was suddenly the source of a large number of emails…
You know the kind of thing.
Last edited by TheHighlander on 5/18/2011 3:03:06 PM
Indeed, I wouldn't doubt it but I also wouldn't rule them out either. It could be something different as well. Not sure, it's very strange though, and the timing of it.
Last edited by Clamedeus on 5/18/2011 3:02:59 PM
Oh, the exploit is devious and doesn't require access to your email account.
It is based on obtaining the specific reset code/token issued by the reset by email process, and then using that in a specific URL to force a password reset, which then prompts you to change the password.
I'm still not clear how you get the token unless you have access to the email. If the process works like every other reset by email process, that token is given out by registered email, not on a web page. But, I've never used that option, so I don't know from personal experience. If the code/token value is handed out via the web page, I can see the issue. If that's the case, then whoever was responsible for checking the password reset option fell down on the job.
If the token were handed out via the web page then why was there a token in the first place? I mean, that is the whole point of using a confirmed mail address?
This is confirmed?
Well, the place I read it, wouldn't normally quote, so I decided to go with the gist. Your point about the confirmed email address is an important one, and I agree with you completely. There's no point to a token without a confirmed email address to send it to. It simply wasn't clear from the process flow I read whether the token was obtained from an email, or from the web page itself.
Oh, here's a horrible thought, what if the token value was in the URL of the confirmation page? You know how those long URLs can be, just about anything could be hidden in there.
No no no, no way. It can not have been found anywhere in the source code of the page either. It just is unthinkable for so many reasons.
First of all, for the token to be featured in url or source the token value must have already been created before the next page were successfully sent to the user – something they at that point in time can not know if they were able to do at all. It would just be a complete mess if the values were created whenever someone initiated the process. Also, the values of forms and the syntax of urls is like the *very* first thing anyone look at if they want to try and mess with the site. A weak script is a hackers target numero uno.
Secondly, *why* should it be featured in the url? What would that solve?
Thirdly, who would come up with such an idea as a solution?
Last edited by Beamboom on 5/18/2011 3:32:33 PM
Exactly, it's unthinkable for so many reasons. that's why it has to be sent to the registered email, so this can only be an issue if the email account has already been compromised.
Unless, of course, the token value itself is not random but based on available data like time stamp, country code, psn nick, or whatever, and thus possible to construct without reading the mail at all. But again… *Why* would anyone do that – I simply see no reason to do it in the first place.
These kind of things may be found if the sloppy solution had some kind of advantage to the developer, usually making something easier. But here I see no such advantage here.
Last edited by Beamboom on 5/18/2011 4:05:18 PM
Agreed, there's no reason to build a token based on guessable elements of data. simlpy use a random number generator to build a token value. Good lord, it would almost take more work to do it any other way.
Last edited by TheHighlander on 5/18/2011 4:04:15 PM
Yes indeed. Ergo, that can't be it.
But if bottom line here is that "if your mail account is compromised then mail based password reset is a Bad Thing", then why is this even a story at all now? What's new? What's "discovered"?
Another thing is, why would anyone not just use the ps3 to change password now after the update?
Last edited by Beamboom on 5/18/2011 4:51:55 PM
I'm guessing that there will be those who's PS3 met it's maker during the 24 day outage, and also Qriocity subscribers who don't have a PS3.But in reality, that should be a very small number – relatively speaking.
Still, people persist in suggesting that the website provides the reset code. I never used the password recovery (reset) option before all of this, but it was my understanding that it sent the reset code to you in email. I can't see why this would be any different now.
Last edited by TheHighlander on 5/18/2011 5:33:46 PM
Well, it could still have sent you an email…
It's almost too bad it's disabled now, I'd love to see this for myself!
Me too Beamboom, me too.
Guys,
If you reset your password, it does indeed send you an e-mail message with an embedded link to the page where you can change your password. I don't have enough technical knowledge to give more details (i.e., when the token was given), though.
It didn't allow me to access that page using the PS3 browser (which I had used to check my webmail); it required a PC.
Last edited by Fane1024 on 5/19/2011 1:28:56 AM
Thanks Fane, that means it operates as it ought to. So you can't really do much without access to the registered email account, right?