PSLS.net Home

PlayStation Network Password Recovery Exploited [Update]

May 18, 2011 Written by Corey Schwanz

[Update] Patrick Seybold, Sr. Direct of Corporate Communications and Social Media, has released a statement on the PlayStation.Blog regarding this situation. Seybold clarifies, it was not a “hack”, but a URL exploit that Sony has now fixed. See the full statement (and original article) after the jump.

Here’s the official statement:

We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.

Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up.

[Original Article] The Password Recovery program that has been implemented by Sony since the PSN’s return has been moving along nicely. With such a huge influx of people requesting their information through their secure email connection, as opposed to on a PS3, Sony stated that the process would take a little longer than originally estimated. It may be even longer now. While the hack that shut down the PSN was quite “sophisticated,” a small little exploit seems to have been discovered to change the passwords again.

But if you’re worried that your PS3 will go silent once again, fret not. This password exploit seems to only be affecting various web-based Sony services. An official community moderator on the EU PlayStation forums have indicated that several sites are offline, including PlayStation.com, the forums, the Blog, Qriocity.com, and others. The login functions for these services are currently unavailable. For the time being all PlayStation Network activity is still online for PS3 and PSP users. So you don’t have to worry about that. But what DID happen?

If you wanted to reset your PSN password from your computer, you were sent an email with a unique URL to match your account. The entire process is actually fairly primitive. Note that it won’t work right now, as login services are offline.

The prodecure is as follows:
1) Navigate to : https://store.playstation.com/accounts/reset/resetPassword.action?token (this is normally, via email, https://store.playstation.com/accounts/reset/resetPassword.action?token=YYYYYYYYYYYYYYYYYYYYYYYY with the y’s being a unique token) – do not enter the code at this point.
2) Open a new tab in firefox, and go to fr.playstation.com (other pages will work too most likely), and click Login (Connexion)
3) Click Recover password
4) Enter the email and date of birth of the target account
5) Click continue, then on the confirmation page, click “Reset using E-mail”
6) Switch back to the original tab, and enter the code, then click continue
7) You will now be asked to enter a new password for the target account

Fortunately, if your account WAS compromised, you should have received an email that said something along the lines of “Thank you for changing your password, if you were unaware of this change please contact Sony,” or something to that effect. While this method is as effective as it is simple, it would take a lot of time to physically access any large number of accounts. It sounds like Sony found out about this and shut off its only access point fairly quickly. Only one more question left:

When will it just end?

[Via/Source]