A serious security flaw that could be used to attack PSN and accessing user data, was discovered in the Sony site by a security expert, says the German tech site Golem.
Oh boy, if this is true I hope their silence on this is because they are avoiding it not hitting mainstream media and trying to patch it as quickly as possible. Sony cant afford another one of these hacks not now
The problem with those hacks is, if they don't make it public, the company does nothing until something happens. That's why magazines (or whoever does this professional) contacts the company and make it public after a while. If it is not in the public companies (not only Sony) tend to not react at all until it is to late. Some things only work with a bit of public pressure.
PSN security is run by a bunch of monkeys. Problems are here to stay and are not going away.
Not saying there isn't a security vulnerability especially given the information from the article, but companies like these look for issues, contact the company in order to get the company to pay them to "fix" said vulnerability, and if they don't they then go public. Sony is an easy target obviously given the past PSN hack but this company's motives are not simply to help customers.
@gority Yes, this iasue was found simply because he make money by charging ____ company to fix the issue. However, that doesn't changw the severity of the issue nor the fact that Sony is ignoring it. Both MS and nintendo surely have as many (maybe more) issues, however they proactively fix them. A great example is a random 5 year old sent an email (to the wrong place may I add) to MS about a security flaw and they not only listened and repaired it within days of recieving the email. Sony is ignoring a MAJOR security firm telling them they have a problem, it's not good.
@nicksetzer1 Man, you are really reaching. Major security firm? No. Random dude, telling them they have a security issue, yes. Your biased towards Sony is evident, and I guess I can't fault you too much based on their security history but don't just make stuff up. Here is a credit from the same individual, not firm, regarding a different vulnerability. The credit links to his facebook page. http://www.telekom.com/secu...
@gority you do realize that he is linked to security issues being resolved for google, tmobile, ebay, etc. http://ebay.com/securitycen... http://www.telekom.com/secu... Security companies tend to remain low brow, they don't just publicly advertise, are you expecting to know the individuals they hire like they are some superstar? And does that fantasy world you live in somehow make it impossible for it to be a major firm if he is not? Most likely firms hire him as an independent contractor ... as most do, hence almost all those in the link use their personal contact info. Regardless let's say it is just a random person, does that make it resonable to ignore a security flaw on Sony's behalf? The only one reaching is you for trying to find any reason you can to justify Sony ignoring security issues consistently.
SQL injection the oldest trick in the book is a vulnerability on PSN? Wow! Just wow! The kicker, notified 2 weeks ago and no response! Parametrized queries will fix this in no time and can be done by 10-year old programmers. In fact, this is the sort of thing you prevent easily by having a policy of only using parametrized queries. All major websites do this, let alone a paid network serving 100's of millions of people. Sony do you have such incompetent programmers or do you not care? I guess it is your customer data and not Sonys'. Last time this happened in 2011 when Sony got hacked, all Sony got was a slap on the wrist after again ignoring customer information safety and neglected to patch their server software. Again something they should do as routine maintenaince. There is one thing that mistakes happen and completely another to willfully ignoring blatant security issues: http://www.vg247.com/2011/0... This is quite amazing really!
@nick by this point I doubt Microsoft has many security issues at all with live. User data has never been stolen via a hack and while the bug that kid found was awful it only had existed for a couple weeks after an update and redesign to the site took place. Even still no user data was compromised. Sony on the other hand has had user data stolen from psn, they also had the root not fiasco, psn constantly being down and now a security advisory from a firm of which they haven't commented on and now that information is in the wild that it exists you can safely bet your very last dollar there are currently multiple people groups and trying to actively exploit it. They watch the watch dogs waiting for news like this and race to get in before something can be patched and Sony has proven they have a very bad track record with patching. They should take psn offline and investigate immediately whether the threat is credible or not.
Thats not exactly how these things go. When someone on the white side of things finds a vulnerability they first alert the offending party, in this case SONY, They give them enough time to patch the problem and most times only publish the vulnerability after it has been patched. Thats the etiquette white hats use and thats the standard professional procedure. It has nothing to do with public pressure.
*** "SQL injection (SQLI) is considered one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web Application Security *** Now, look at the quote I was talking to. Tell me, does "the top 10" equate to "oldest vulnerability in the book"? So, rant on as you please, but at least acknowledge the quote I am speaking towards. XSS is also in the top 10... and it's also older than SQL Injection... ***Something else more common doesn't make something else less common! *** I didn't say it did! Again, you need to read the quote I am talking towards, not just my words without any reference point. That's why I take the time to quote the parts that I am replying to. ***Don't excuse that simply because it is your favorite company! *** Show me where I excused it? ***I hope the mod gods doesn't ban me though for speaking my opinion against their goal.*** The sad thing is... you were okay up until you called me a troll and made this remark. Too bad you don't know how to read my comment as it's intended and instead insinuate that I'm somehow supporting Sony in this.
Sounds very familiar.... http://www.vg247.com/2011/0...
Dosent help they made user info including credit cards mandatory and not user-removable. I'm gonna have to double check if card on my account has protection. Dumb move on Sony to require CC on account instead of making it an option at time of purchase, guess people gonna have to learn the hard way. @ lil and Bibty It did require credit info for trial when I first got PS4 and It wouldnt let me remove it later on. I can only substitute the card for another.
You can remove your credit card info and you are not forced to put in your CC info.
Credit cards aren't mandatory, why do you think this?
@bitbydeath @ lilbrat23 Why let facts stand in the way of sensationalist hyperbole?
Excuse but you are a liar, I put in than removed my credit card information last night thank you very much.
Well...the severity of the threat isn't really known from this article, and the author of the article doesn't say exactly other than to say it's serious. Some broad claim that it may lead to attackers getting data doesn't say much as to what kind of data they would receive. SQL injections are extremely common, and I guarantee you almost every site that uses SQL has at least one somewhere within it's code which may or may not be discovered. Sometimes they can be quite serious(one mentioned in the article), and sometimes they can be quite banal. For those that don't know, SQL is a database server/program that is used for holding information in most organizations, and it makes up a pretty big chunk of data driven websites, and is used to hold most data within organizations as well. Basically an SQL injection just allows for an unchecked SQL command to be used when accessing a website, so the attacker can change the data that is retrieved from that command. If that command happens to be tied to sensitive user data, then it could lead to personal information being leaked. I"m glad the person who found this contacted Sony though instead of just making it public. As far as why Sony hasn't fixed it, it's either because they don't feel it will lead to the loss of sensitive information, or they haven't found a way to fix it yet. Given Sony's history in server hacks, I'd say it's probably the former...I highly doubt they'd want a repeat of that. It's also possible that the information received from using this attack would only return encrypted data which would be useless to the attacker, so as of now there isn't much need for concern. But it's worth finding out if Sony has plans to fix it, or if they've already fixed it. Since this article didn't bother to contact Sony for an answer, we'll just have to take their word for it for now.
There is no way to fully know unless it happens but they will have contacted sony about the issue I assume rather than tell magazines and websites first. Its a simple thing to stop and I imagine the sql would only affect a small part of PSN rather than the whole thing. The key word is could its not been proven it can and sony might have prevented it by some other means.
"its not been proven it" Exactly, people will eat up anything on the internet these days Considering Sony's past breach, I could easily write a blog up myself on how I hacked Sony's website and people will believe me yet I have no security or hacking skills They didnt even contact Sony the right way as they should have donw it through tech support There is no evidence or proof from them and they said they wanted to release the information, and this was reported to Sony on 9th of October, if they have any evidence at all of the information they hacked and Sony still hasnt done anything, from the 9th till now they would have released the information Very fishy imo
Golem is a professional online magazine and not someones blog. They should be trustworthy. And if they say they contacted the support, I don't think they mean the normal customer support.
@ Mulando professional online magazine or blog. Not the point I am making, on both opinions and news are written and this one has no evidence of any vulnerability, it is just some saying they did an SQL injection and acquired data showing no proof at all Then for a professional security team not being able to contact the right support, they are meant to ccontact tech and security support Again with Sony's previous breach, anyone can claim they hacked Sony and people will believe them, with no evidence especially after two weeks of telling Sony. This is just a claim with no evidence and nothing more
@GameDev1 and what the hell do you want them do to? Release a PoC so we all get out accounts information dumped? I'm not sure if you're really that dumb or just a blind fanboy, perhaps both...
Yeah. I highly doubt their SQL Injection gives them any true access to anything more than public info and not actual passwords or the like (which are stored in hash form and not cleartext). But, regardless, SQL Injections are easy to fix in the overall scheme of things. So, Sony should be able to fix this. The fact that they have a SQL Injection vulnerability, even on basic, public info, is kind of worrisome. It's one of the key things a Web programmer should be testing against at every step of development.
I am always surprised when I look at how incompetent the web development teams for some of these big companies are. Hopefully the SQL User that they are using for this has only got the permissions that it needs but I would not bank on it.
Sadly, Bladesfist, I'm not surprised. 9/10 Web programmers I've worked with do least amount possible and don't keep in mind security until they get tested for it. And, even then, they typically just fix the issues that the analyzer found, not all of them.
Nothing said what kind of information could be retrieved from this. For all we know all it could retrieve is what time a particular user logged in, if a person knew a particular users screen name...although with SQL injection a more broad search could be used. Certainly not devastating. I like that the person who found this did contact Sony, but I wonder why the article didn't bother to ask Sony for comment. Apparently it's just taking the attackers word for the fact that it isn't fixed. it also doesn't say if the injection could be rejected server side, which is a definite possibility since checks can't be seen on the server itself without performing an injection...so it makes me wonder if the person who found it actually tried to retrieve information using an attack. Too many unknowns from this article to make a big deal about it. Hopefully some website will use it to get a comment from Sony though. If it's an issue, it should be addressed, but no need to fear monger when a bit of prudence in reporting can make a much clearer picture.
Well... hopefully these guys are the first and only ones to find the vulnerability. I wonder if they openly share the details with Sony, or if they say "we've found something... you'd best pay us to tell you"? Companies can't operate on good will.
Sony needs to step up their security game
good job posting it here to inform the whole of the internet.
Sony needs to really put a focus on revamping the PSN. It is my largest concern with PlayStation consoles, and many people avoid the console for the service alone. Sony needs to deal with the troubles of the service
100% agreed. I ask again.. why am I paying for this service? Hacks, downtime, maintenance. It's actually shocking how bad PSN has been.
If this is true then it means that Sony learned nothing of the 2011 PSN hack.
That's not how it works.
when your on top of your game theres always ppl that want to bring you back down
All I need now is to understand their tables and then change my gamer name ;)
Really they are using a SQL database with low encryption to host customer data. SQL is fine if it is local, but it is not meant for WLAN or Datacenters. Use an oracle base or sharepoint with 256 bit encryption at least.
You make a lot of assumptions from a very incomplete article. SQL has encryption, and Oracle is just as vulnerable to SQL injections as any other form of SQL is. Nowhere does it say that Sony is using SQL, and they may very well be using Oracle or some other alternative. The level of encryption has nothing to do with the commands being used to access data in this case. SQL is the most commonly used database for storing and hosting customer and company data. It wouldn't get that way if it didn't have the security it needs. Also, this article didn't say if the data was encrypted or not, or what kind of data could be retrieved with this attack. For all you know, any data retrieved could be completely useless. It also didn't say how far an SQL injection could actually go into the servers, and for all you know, the injection could be checked server side, and thus rejected.
I use SQL everyday, I know the limitations and the infrastructure is not built to host millions of records. It is built for small companies that want a way to store DBs locally or through VPN. We host in the cloud as well, but again it is built for individuals and small companies. It is NOT built for datacenters. SQL also uses a light encryption through their backup system, but anyone can download Management studio or a third party utility and check the tables for info.
I am an sql dba, and what you have just said is the biggest pile of bull I have seen on here. Sql can hold over 500,000 tb data consisting of hundreds of millions of rows, even billions. The issue with SQL injection is to do with the website designers and the way they are writing the code to access the data. Instead of forcing paramiterisation of a query they are allowing an ambigious input that can alter the syntax of the query thus pulling additional data. I support databases for numerous customers that hold huge amounts of data that are updated thousands of time each hour. I know the capabilities of sql, you clearly don't. Btw, SQL doesn't just encrypt through backups. It encrypts via the use of encryption keys, Ya idiot. Also not everyone can access the data just by downloading management studio. You need a verified security logon principle with an associated user principle that has the required permission to Access the data. If you work in IT I suggest you find a new job.
@Dewitt? Really ? Wtf, your blowing freaking smoke or trying to that is..that is complete fabrication of the truth, who are you trying too fool? About SQL? Not made for large companies data centers? LMAO http://www.tripwire.com/sta...
What, SQL Injection has nothing to do with encryption. It is the result of not properly sanitizing user input.
If it's true should I trust that it will be addressed?
2 things Sony needs to work on and then they'll be the best video game company: 1. PSN 2. The PS Vita
Wasn't there a PSN outage announced for tonight? Could they be patching this?
PSN will always have security issues. They haven't fixed it since the PS3 first released. I'll make sure I spread the news on the internet about this situation. This is something more people should know about tho everyone knows that PSN is unsecure. I got my credit card info on my X1 but I would never ever do that on my PS4. PSN name BKaca.
Pretty sure thats because PSN was designed with their eyes closed, I mean how else could you explain not being able to change your PSN ID?
I don't know about spreading this info.... See my comments near the top about the source.
To a hacker eventually the challenge is the rush of a "harder" job... Xbox fans I bet are more cozie than they really should be!
why pay with credit card ? just go with psn prepaid cards.
And this is why prepaid PSN cards are always on Amazons best sellers list.
lol everytime i go on n4g now theres always at least one article about psn either the service is really that bad or these journalists are just over blowing every little outage for a few clicks.
To all the people saying Microsoft is invulnerable,nobody built a fake PS4 with hacked specs. : http://arstechnica.com/tech...
The four men also allegedly turned to Epic Games and used SQL injection attacks “and other incidents of unauthorized access” like stolen passwords to pilfer “unreleased software, source code, and middleware” from the upcoming Gears of War 3 title. yup, only Sony security falls prey to SQL attacks... Bubble up for court case reference IE: yes even Microsoft people
Being saying this months now, they need new hamsters.
aaaaaand now PSN is down :(
Yep PSN is down for me too; in Burbank, CA
Hire me, Sony I can fix it!! How? Client-side white list input validation (through the usage of regular expressions and conditional statements) + stored procedure with strict parameters on backend SQL database + parameterized queries. Boom. Problem solved, potential SQL injection crisis averted. /nerdy CIS major rant As a long-time PS fan though, this is troubling if it's actually exploitable (I'm not going to try, nor should you unless you're an idiot). If so though, as a 21 year old college n00b, I apparently know more than the "seasoned" security professionals at Sony. Neat.
Where does all that PS+ Money go?? It's really a joke, you can love Sony all you want but they don't seem to learn. If stuff like this turns into another month downtime like back then it will bite them in the Ass this time.
*Good* free PS+ games, duh. Lol enjoy your Viva Pinata next month!!
Enjoy your next Downtime.
really again this could cripple them if true...
It is being tried even if its not true, there is no down side to websites running this type of release, because even if its not true it still does PR damage to said company. why do you think its used in Astroturfing? already in this and other forums its a vs thread by default. which only benefits Microsoft and Hurts the perception of Sony and its network regardless if its true or not. ever since the hacking fiasco of 2011 its a free negative PR against Sony even if its not true every time there is maintance on PSN there is tons of these types of articles implying or questions about the security of PSN. Its pretty much a free Negative to levy against Sony with out any repercussion. Some could very well say, because its all true..every negative, but they are going to say that reguardless even if its found out not to be true at all the trust in PSN security is an issue no matter how much Sony would invest into it. And its being used in a media as a way to generate a story even if the story is not true. To Many consumers it will be true reguardless. what many gamers and you can tell which preference they have ask why is it that PSN still is getting more users to sign up for the service with how poor the security is..they are sheep, why is it people cannot see how better Microsoft's network is over Sony. That's really the core blunt truth of the matter, if Microsoft was not this far behind in sales and it was Sony in Microsoft's Place and Microsoft would be in Sony's place/right now how would these talking points go than..hay look not only is our sales massive but also look at how secure our network is..look at last generation of the xbox360 vs PS3 in forum posts on gamer forums. the fact is despite the perception of or lack there of Sony's online security more consumers right now are still buying into playstation. The Argument that is being framed is why choose Sony over Microsoft or Nintendo. They do not have out right say it, its already implied. there are many gamers feel that other gamers are not giving Microsoft a fair chance and bought into the PS4 Hype. If Microsoft was in the lead would we really be having these/stories also..yes you could count on it.
that pious soul, that good man, all free then made ..Beh actually yesterday I have entered the server area 51, and I've found things you people would not even imagine, so incredible that I can not even tell you what I seen (because it does not tell the details?). That is, each morning he gets up and comes up with one, then just happened to Sony was warned of it and do nothing, prefers another Shitstorm and spend twice as much in repayments ...... But let's stop, has become a fashion .the success creates too many enemies and owls ... Very curious to hear the response from Sony ... P. S. because this person did not sell information?
Did anyone notice that the PS4 is still selling like hotcakes in spite of all the trolling and negative talk about a network that has more than 10 million users connected to it? 13.5 million consoles as of October... 18.5 to 19.2 million by the end of the year... Troll that...
You might want to hit up the definitions if you think that pointing out a security flaw is considered 'trolling'.