Page 1 of 2
Sony has once again taken down its PlayStation Network login and password reset pages to block a serious security vulnerability following reports of yet another external hack targeting user accounts.
The vulnerability, first reported by U.K.-based gaming news blog Nyleveia.com, occurs in the way that the password reset form is implemented , which contains a glitch that fails to properly verify tokens. Hackers can subsequently launch an attack exploiting the vulnerability only by knowing users' date of birth and e-mail addresses in order to access their PlayStation Network accounts.
"I want to make this clear to ALL PSN users. Despite the methods currently employed to force a password change when you first reconnect to the PlayStation Network, your account still remains unsafe," according to Nyleveia.
Sony issued a statement following the news of the latest hack, alerting users that PlayStation Network login and password reset pages were offline, but denying that an external hack was involved.
"We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed," according to a Sony blog post. "Consumers who haven't reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the Web site as soon as we bring that site back up."
Researchers at Nyleveia reported that they "provided a detailed description" of the exploit to Sony as soon as it was detected, after which Sony immediately took down the login and password reset sites.
Sony took down PlayStation Network login and password sites just four days after the company fully recovered services following a massive external hack in April that compromised 77 million PlayStation Network and Qriosity user accounts. The hacked Sony database included scads of personally identifying user information, including date of birth, e-mail and home addresses and login credentials. Sony executives said it was unlikely , but did not rule out the possibility that users' credit card data was also exposed.
Nyleveia researchers said that "it's safe to assume that someone, somewhere, has access to a large number of users' details," according to the blog post. "This alone should be reason enough to change your e-mail."
Nyleveia recommended that users create a completely new e-mail account not used anywhere else, and switch their PSN account to the new e-mail in order to avoid become the target of a future malicious attack.
"You risk having your account stolen, when this hack becomes more public, if you do not make sure that your PSN account's e-mail is one that cannot be affiliated with or otherwise traced to you."
Meanwhile, Sony's prior breach and possibly its latest gaffe, have called into question the security posture of the electronics giant, and the safety of users' data stored remotely in private clouds.