New exploit compromises PSN password reset system
A new security concern has arisen barely a day after the PSN went back online
When Sony began restoring the PSN earlier this week - albeit in limited form starting with gaming, music and video services - many believed the end was in sight for the problems facing the network that had seen it offline for nearly a month after the details of 77 million users were stolen. In yet another hiccup for the service, Nyleveia.com yesterday revealed a hack had surfaced that allowed attackers to change a user's password using the email address linked to the user's account and the user's date of birth - exactly the kind of information that was compromised in the original attack on the service that saw it taken offline in the first place.
After confirming the security flaw, Nyleveia contacted Sony Computer Entertainment Europe (SCEE) and the Web-based PSN login/Password recovery site was taken down "for maintenance." PlayStation Blog is now reporting the "URL exploit" has been fixed and encourages those who haven't already reset their passwords to do so directly on their PS3 while Sony works to get the password recovery website back up - which it says will happen "soon." However, Nyleveia recommends setting up a completely new email account to use only with your PSN account to be on the safe side.
The latest security hole will do nothing to instill confidence in Sony among PSN users, but in an attempt to smooth things over Sony earlier this week announced details of its "Welcome Back" initiative that allows PS3 and PSP users to download a couple of free games as well as getting 30 days free access to the PlayStation Plus premium service. Qriocity subscribers will also receive 30 days free access to that service.
Hopefully the company has now ironed out all the security holes and PSN users can get on with the important business of playing games.
About the Author
Darren's love of technology started in primary school with a Nintendo Game & Watch Donkey Kong (still functioning) and a Commodore VIC 20 computer (not still functioning). In high school he upgraded to a 286 PC, and he's been following Moore's law ever since. This love of technology continued through a number of university courses and crappy jobs until 2008, when his interests found a home at Gizmag.
All articles by Darren Quick
And this is an exploit because?..... Big deal... using information that was stolen? How suprising that you need a date of birth and your email. Things that normally would not have been known until stolen. What kind of exploit is that?
You copy the log in infor the you have access to credit cards and game downloads.
@Rocky ~ this is still an exploit because even without counting the information that was stolen earlier, being able to reset a password with just an email address and date of birth is very weak security in any system. Very little hacking, either social and otherwise would allow me to discover the email address and date of birth of many people, most of whom I do not know. Those two pieces of information are the easiest to find for just about any person. Sony is going to have to come up with a more secure system for allowing the reset of passwords online.
Date of birth can easily be found on a Facebook page as public information, and then you can do an email search for that person on Yahoo People search... what lame \"security\"....
Over 160,000 people receive our email newsletter
See the stories that matter in your inbox every morning