Sony just restarted its Playstation Network, after the massive security fail dismissed as a ‘hiccup’ by Sony CEO Howard Stringer. Well, the PSN has barely been up two days, and a massive security oversight has already been discovered. Yes, Sony just got Sony’d. Again. Unbelievable.
This is just unbelievable. You may recall that as part of the PSN’s relaunch, Sony released a new firmware version that forced you to change your password as an additional security measure. The problem is that before the first massive security fail, if you had honestly forgotten your password, you could create a new password by going to a Sony website and entering your email address and date of birth. Nothing special, and this site was still working just fine after PSN’s relaunch to aid people in changing their passwords.
Until you realise that your email address and date of birth were among the leaked information. This means that hackers can simply go to the change-password website, enter your email address and date of birth form the stolen data, et voilÃ , your account has just been re-exploited. It doesn’t matter if you have already changed your password following the recent firmware release.
Nyleveia discovered the exploit, and confirmed that it does, indeed, work. They contacted Sony immediately, and sure enough, the web-based change-password function was taken offline by Sony shortly after. Remember that the change-password functionality on the PS3 itself is still working just fine, since it cannot be used for the exploit.
“Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being,” Sony told EuroGamer, “This is due to essential maintenance and at present it is unclear how long this will take. In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information.”
No system is ever safe, huh, Stringer? It was just a hiccup, huh, Stringer? I’m no security expert, but I’m starting to a structural problem here.