Report: PSN password page exploit found, site pulled [Update]

The PlayStation Network password reset page reportedly suffered an exploit that allowed attackers to change one's password. Sony has pulled several Web sites for "maintenance."

17

[Update 12:00 pm] Sony's Patrick Seybold has issued an update, acknowledging the exploit as the reason for the site outages. He says the URL exploit has been fixed internally, and that passwords can still be updated via your PlayStation 3 while you wait for the sites to come back up.

[Original Story] The PlayStation Network password reset page may have suffered a security exploit of its own, leading Sony to pull several sites. The potential issue was pointed out by Nyleveia, and echoed by both Eurogamer and NeoGAF users.

Reportedly, the exploit allowed attackers to change your password using the e-mail account and date-of-birth associated with your PSN account. Since both pieces of information were compromised in the recent PSN hack, whoever had that data could have changed passwords before Sony pulled the websites. On the bright side, if your password had been changed by someone else, you'd at least be notified via e-mail.

A community moderator for the PlayStation Europe forums noted that PlayStation.com, PlayStation forums, PlayStation Blog, Qriocity.com, Music Unlimited via web, and PlayStation game title sites have been taken down. You can still sign on with your PS3 and PSP to access online play, if you've already changed your password.

"Unfortunately, this also means that those who are still trying to change their password via PlayStation.com or Qriocity.com will be unable to do so for the time being," said the moderator. "This is due to essential maintenance and at present it is unclear how long this will take."

Nyleveia, which first noted the exploit, claims that Sony took the system down about 15 minutes after receiving a response from Sony Computer Entertainment Europe.

We haven't heard any reports of unauthorized password changes, so if the exploit reports are true, it seems likely that Sony caught it early. We've contacted Sony for comment.

Editor-In-Chief
From The Chatty
  • reply
    May 18, 2011 9:15 AM

    Steve Watts posted a new article, Report: PSN password page exploited, pulled.

    The PlayStation Network password reset page reportedly suffered an exploit that allowed attackers to change one's password. Sony has pulled several Web sites for "maintenance."

    • reply
      May 18, 2011 9:21 AM

      I found this moderately amusing...... but seriously...another security blunder by Sony, this close after the original screw up? this is looking really bad ....

    • reply
      May 18, 2011 9:42 AM

      Kind of an inflammatory headline contradicted by the last paragraph in the report.

      It occurs to me that, as they restore services, Sony would be smart to audit every aspect of their network. Doubly smart to get an external entity to audit and then take action accordingly.

      This is not a new problem. They've identified a long-standing problem and are being more proactive about it.

      :P

      • reply
        May 18, 2011 12:08 PM

        How is it inflammatory? An exploit was found (but not used), and the sites were pulled down. Seems pretty clear-cut to me.

        • Ebu legacy 10 years legacy 20 years
          reply
          May 18, 2011 2:28 PM

          "Report: PSN password page exploited, pulled"

          Saying it was exploited implies that it the exploit was used. If that wasn't the case, it was inflammatory and intellectually dishonest.

    • reply
      May 18, 2011 10:13 AM

      lol I'm happy i removed all my info from my SOE Account. You know if PSN is having problems SOE is going to say they had the same problem next week.

    • reply
      May 18, 2011 10:16 AM

      hey Shacknews. an exploit was found, but it was not exploited. it says so in your article.

    • reply
      May 18, 2011 10:18 AM

      Sigh...

    • reply
      May 18, 2011 10:54 AM

      Though reports seem to indicate that the exploit was discovered by testing it... in which case "exploiting" the site, we have changed the headline to offer a better understanding of this current report.

    • reply
      May 18, 2011 10:56 AM

      At this rate PSN should be back online by Christmas. Sony are a bunch of idiots, and that's why I hate PS3 and will never buy one.

      • reply
        May 18, 2011 11:34 AM

        I rather buy from bumbling oafs who occasionally screw up than from a megacorp that attempted to sell exceptionally faulty equipment in an attempt to get a head-start in the race to the next gen.

        • reply
          May 18, 2011 11:54 AM

          really? you people are just asking for a console war.

        • reply
          May 18, 2011 12:58 PM

          holy lol batman

        • reply
          May 18, 2011 3:14 PM

          Are you saying Sony isn't a mega corp?

          • reply
            May 18, 2011 4:47 PM

            They don't have half the cash Microsoft has laying around, but no, that's not what I was saying. My main point was that Microsoft knowingly sold extremely defective hardware. That should really be the pivot point of that thar statement.

            • reply
              May 18, 2011 7:13 PM

              Maybe, but they made good on replacing said hardware. It took them longer than a lot of people wished but they even extended warranties for people who hadn't suffered the RROD.

        • reply
          May 18, 2011 3:47 PM

          lol frontpage posters :)

      • reply
        May 18, 2011 2:26 PM

        PSN is back online already

    • reply
      May 18, 2011 12:25 PM

      PSN users are the beta testers, don't be alarmed, its standard. Or you console only people can come to the land of freedom, safety, and security. The PC. http://chattypics.com/files/PC_x9gh3lwvvocrhf9s7d30.jpg

    • reply
      May 18, 2011 1:24 PM

      It was just a minor exploit you'd need all that other info just to get their password to reset... Those idiots from Kotaku are some of the worst reporters in the world, they say the site was hacked and it wasn't... Shit like this happens all the time plus everyone's looking for a way to reset their password from a bogus Email so...

      • reply
        May 18, 2011 2:21 PM

        Kotaku has to get those pageviews up to pay for that redesign.

Hello, Meet Lola