Sony closed a recently discovered security flaw that would have allowed anyone with access to user data to reset passwords to gain control of PlayStation Network and Qriocity accounts.
Sony plugged a security hole
that could have allowed hackers to gain control of accounts on the PlayStation
Network and Qriocity music and video service, the company said.
The latest security hole was
found on the Webpage that users were using to reset passwords for their PSN and
Qriocity accounts from their PCs, according to a May 18 report in The Wall Street Journal
. After restoring the PSN
network after nearly a month offline, Sony required users to first update the
firmware on their PlayStation console and then to reset their account password.
The security hole on the
password reset page allowed anyone with the account holder's date of birth and
email address to reset the passwords. Considering that Sony said birth dates
and email addresses were among the personal information stolen when attackers
breached its servers, changing the passwords to gain control of the user
accounts is not an unlikely scenario.
Gaming Website Nyleveia.com
confirmed the exploit actually worked on its Website on May 17. Noting that the
instructions for the attack were "doing the rounds" and spreading rapidly,
Nyleveia contacted Sony to address the issue.
The password reset page for
the PlayStation Network remains down, even though the flaw has been fixed,
according to Nick Caplin, head of communications at Sony
Computer Entertainment Europe
. The Website will be available "as soon as we
bring that site back up," wrote Caplin.
This should not affect users
trying to get back on the PSN, as they can use the PlayStation 3 console to
reset their PSN passwords. The problem was only present for users using their
own computer to access the page online, a Sony spokesperson told The Wall
Sony discovered that unknown
intruders had breached its servers around April 16 and stolen personal information
belonging to 77 million individuals with accounts on the PlayStation Network
and Qriocity. The company shut down the services without warning on April 20,
and then finally admitted to the breach on April 26. It discovered the second
data breach affecting an additional 25 million individuals with accounts on
Sony Online Entertainment service on May 2 as well as a handful of smaller
Analysts had estimated the
breach will wind up costing the company as much as $1 billion in remedies,
damage to the brand and lost business.
Gene Spafford, a computer
science professor at Purdue University, testified at a Congressional hearing on
May 4 that Sony did not have a firewall running on PSN
and that it was running an obsolete version of the Apache Web
John Bumgarner, CTO of
independent, non-profit research institute United States Cyber-Consequences
, uncovered even more security vulnerabilities as recently as May 10.
The latest vulnerabilities included being able to access internal resources,
such as security-management tools and other internal applications, on several
pages affiliated with Sony.
A Sony spokesman told the
Wall Street Journal the vulnerability was a "URL exploit," which would allow
the attacker to trick the reset page by manipulating the page's address. An
attacker who'd hijacked a PSN user account would be able to make purchases on
the service with existing funds but would not be able to gain access to
customer credit cards, according to Sony.
Perhaps the best way to
secure existing accounts now would be by creating a completely new email
account that you will not use anywhere else and switching your PSN account to
use this new email. PSN users risk having their accounts stolen, when this hack
becomes more public, if they do not make sure that their PSN account's email
address can't be traced to their current PSN credential.
Sony CEO Howard Stringer
told The Wall Street Journal that it wasn't possible to guarantee the security
of the company's video-game network or any other Web system in the "bad world"
of cyber-crime. Maintaining security is a "never-ending process" and Stringer
said he wasn't sure if anyone could be "100 percent secure."
Kazuo Hirai, the head of the
video game and consumer electronics units at Sony, told The Wall Street Journal
that Sony has done everything possible to secure its online systems, and if an
attacker still gets through, there are safeguards in place to protect the
actual data. Sony said it implemented additional software monitoring and
vulnerability testing, increased levels of encryption and put in additional