[Owasp-singapore] New PlayStation Network hack hijacks user accounts

Wong Onn Chee ocwong at usa.net
Wed May 18 19:40:41 EDT 2011


http://www.theregister.co.uk/2011/05/18/sony_playstation_account_hijacking/

The exploit involved the bypass of a digital token system that Sony used
when users reset their PSN password. Attackers could carry out the
attack by visiting
https://store.playstation.com/accounts/reset/resetPassword.action?token
and then, in a separate browser tab, opening a different page on
us.playstation.com <http://us.playstation.com/> and following Sony's
reset procedure, which required only the date of birth and email address
associated with the account.

The attacker would then return to the original tab and, armed with the
browser cookie just issued by Sony's servers, complete an image
verification on the page. The attacker would then proceed to a scree
allowing him to change the victim's password.

"The page
https://store.playstation.com/accounts/reset/resetPassword.action?token,
acts as though you had clicked the unique link sent to you via Sony for
completing the second page's password reset," Pilkington said during a
discussion over instant message. He said it's "highly unlikely" the
exploit technique was discovered until Tuesday evening.

-- 

Best Regards
Onn Chee

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20110519/d7ec62b5/attachment.html 


More information about the Owasp-singapore mailing list