[UPDATE] PSN Password Reset Vulnerable to Exploit

[SaintWaldo]

Just change the password through a console, not a website. It's really that simple. I feel the need to point out that ALMOST EVERY web login will reset your password with only the email addy, so this is a two-part key needed to even start the ploy. Not a very big threat profile AT ALL.

 

[loogie]

Honestly what are you expecting... a company that has a billion customers had to completely redesign their entire security system in under a month isn't going to do so carefully, or critically, they are going to get things done as fast as possible, which will also mean they will most likely miss a few things...

I'm not surprized something as simple as this is happening, when you design a system, you get tunnel vision, thats why you get others to look at it and make sure it's been covered by all angles, when your rushing the release, you have less/no time to do so...

 

[loogie]

No, Sony isn't any different than a bunch of other sites. Both Microsoft & Apple's ID's aren't that hard if you just have a few simple pieces of info. This is an overarching problem that isn't going away with Sony making a few adjustments.

Difference is Microsoft and Apple don't hand over everyones personal information making such hacking so much easier... Sony JUST had a huge leak of personal info which is exactly the type of thing they can use to steal your accounts... Even if they call up support and are asked questions on every bit of personal information Sony has on you, they can get them all right... It's just careless to have such a flaw in your system knowing that such information was just leaked.

 

[loogie]

Just change the password through a console, not a website. It's really that simple. I feel the need to point out that ALMOST EVERY web login will reset your password with only the email addy, so this is a two-part key needed to even start the ploy. Not a very big threat profile AT ALL.

You don't really understand do you?
THEY can change your password without your knowledge... so if you fail to change your account before they do, you have lost your account... The difference between this and every other password reset system is that most give you a temporary URL to "authenticate" the change, which is sent to your email address for you to confirm the change... thus if they don't have access to your email, nothing will happen... Sony's doesn't have such verification, and is thus vulnerable... Thats a pretty big hole.

 

[Buccura]

As a precaution you should have a seperate email for any online account that would be a target anyway (such as game accounts, bank, insurance, etc)

 

[Danzaivar]

...

Really? Can these guys just stop? Sony's been through enough already. That's coming from a PC/360 user, too.

Yeah they really should have kept quiet for a few weeks and let some people with malice find this out instead.

 

[kurokotetsu]

Yeah, it may be similar in other sites. But that is no excuse. This is a security flaw and should that shouldn't be forgiven. Yes, Sony had a pretty rough month, but it is not the customers fault that there was vulnerabilities in the system. So Sony is not getting sympathy from me. It is their job to make sure that your information isn't leaked. They failed at it (with this, it can be said that it happened twice), so I'm not saying poor Sony. I'im saying do something about it.

 

[GonzoGamer]

There is never an end to this entire shitstorm, is there?

If you owned a psp, you would already know that the answer to that is No.

 

[Amondren]

Oh goody *clap clap* kick a man while he's down now thats nice. I miss being able to play LBP2 online its annoying that people wont give them a break.

 

[mjc0961]

I thought the whole point of the "You have to get the e-mail and use the included link within 24 hours or it expires to change your password from the web" set-up was so that this exact scenario could NOT happen.

At least the people who found it reported it to Sony and Sony acted on the information as soon as possible. Now, whoever found this exploit might not actually be a hacker in the traditional definition, but this is the sort of thing good hackers do: find exploits and report them so that companies can fix them. This is why not all hackers should be shot or launched into the sun or whatever other stupid scenarios people have ranted about doing to hackers because of the person or people who hacked PSN.

 

[Reed Spacer]

Now, if Sony hadn't taken away Other OS (and backwards compatibility for that matter (try to find a PS2 if yours craps out; g'wan, I dare you)), this probably wouldn't be happening.

 

[erztez]

Oh goody *clap clap* kick a man while he's down now thats nice. I miss being able to play LBP2 online its annoying that people wont give them a break.

Kicking a man? That's wrong.
Kicking a multi-billion dollar company that gave us such wondrous gifts as SecuROM and the BMG rootkit? That's FUN...

 

[gphjr14]

You are right, when they say "It only does games" people will expect that.. Just as when they say "it does other things" they should expect it to do other things, I don't recall them stating "It'll do other things, for awhile anyways... then we're going to stop allowing you to do that"

Read the fine print of the user agreement. They were within their right to remove a featured that was used for piracy. Doesn't matter anyways they've figured it out now so they can't really prevent it.

 

[kebab4you]

Now, if Sony hadn't taken away Other OS (and backwards compatibility for that matter (try to find a PS2 if yours craps out; g'wan, I dare you)), this probably wouldn't be happening.

Never say never, but most likely the firmware that started it all wouldn't be out today.

 

[Martster]

Even though I don't own a PS3 myself I'm getting sick of this

Cant the hackers leave Sony alone and let gamers get back to what they love

 

[Celinis]

All this hacking kinda makes me wonder what other companies are learning from this whole Sony situation. It would be very unwise for companies like Microsoft and Blizzard to not learn from all this.

Why do people do things like this, "just cause"... "2."

See this is why we can't have nice things on the internet.

 

[loogie]

You are right, when they say "It only does games" people will expect that.. Just as when they say "it does other things" they should expect it to do other things, I don't recall them stating "It'll do other things, for awhile anyways... then we're going to stop allowing you to do that"

Read the fine print of the user agreement. They were within their right to remove a featured that was used for piracy. Doesn't matter anyways they've figured it out now so they can't really prevent it.

this isn't a legal issue, they promoted their product to do things other then just games, then they removed that very concept, just because it's legal for them to do so, doesn't mean we shouldn't expect more.

 

[loogie]

All this hacking kinda makes me wonder what other companies are learning from this whole Sony situation. It would be very unwise for companies like Microsoft and Blizzard to not learn from all this.

Why do people do things like this, "just cause"... "2."

See this is why we can't have nice things on the internet.

Microsoft? Blizzard?

I'd be happy with Sony learning something from this mess... which they've yet to do.

 

[loogie]

Even though I don't own a PS3 myself I'm getting sick of this

Cant the hackers leave Sony alone and let gamers get back to what they love

What are you talking about? Hackers didn't do this. Sony basically left the door wide open for hackers to steal your info.. AGAIN.. People aren't claiming that hackers have done it, someone has just pointed out that fact...

 

[Martster]

Even though I don't own a PS3 myself I'm getting sick of this

Cant the hackers leave Sony alone and let gamers get back to what they love

What are you talking about? Hackers didn't do this. Sony basically left the door wide open for hackers to steal your info.. AGAIN.. People aren't claiming that hackers have done it, someone has just pointed out that fact...

Sorry seems I've misread what's happening here. Still when will the bad luck end for sony