Top
380°

SQL Vulnerability allows access to Sony's customer data

A serious security flaw that could be used to attack PSN and accessing user data, was discovered in the Sony site by a security expert, says the German tech site Golem.

Read Full Story >>
translate.google.com
The story is too old to be commented.
Mikelarry1360d ago

Oh boy, if this is true I hope their silence on this is because they are avoiding it not hitting mainstream media and trying to patch it as quickly as possible. Sony cant afford another one of these hacks not now

Mulando1359d ago

The problem with those hacks is, if they don't make it public, the company does nothing until something happens. That's why magazines (or whoever does this professional) contacts the company and make it public after a while. If it is not in the public companies (not only Sony) tend to not react at all until it is to late. Some things only work with a bit of public pressure.

decrypt1359d ago

PSN security is run by a bunch of monkeys. Problems are here to stay and are not going away.

Gority1359d ago

Not saying there isn't a security vulnerability especially given the information from the article, but companies like these look for issues, contact the company in order to get the company to pay them to "fix" said vulnerability, and if they don't they then go public. Sony is an easy target obviously given the past PSN hack but this company's motives are not simply to help customers.

nicksetzer11359d ago

@gority Yes, this iasue was found simply because he make money by charging ____ company to fix the issue. However, that doesn't changw the severity of the issue nor the fact that Sony is ignoring it. Both MS and nintendo surely have as many (maybe more) issues, however they proactively fix them.

A great example is a random 5 year old sent an email (to the wrong place may I add) to MS about a security flaw and they not only listened and repaired it within days of recieving the email. Sony is ignoring a MAJOR security firm telling them they have a problem, it's not good.

Gority1359d ago

@nicksetzer1

Man, you are really reaching. Major security firm? No. Random dude, telling them they have a security issue, yes. Your biased towards Sony is evident, and I guess I can't fault you too much based on their security history but don't just make stuff up.

Here is a credit from the same individual, not firm, regarding a different vulnerability. The credit links to his facebook page.

http://www.telekom.com/secu...

nicksetzer11359d ago (Edited 1359d ago )

@gority you do realize that he is linked to security issues being resolved for google, tmobile, ebay, etc.
http://ebay.com/securitycen...
http://www.telekom.com/secu...

Security companies tend to remain low brow, they don't just publicly advertise, are you expecting to know the individuals they hire like they are some superstar? And does that fantasy world you live in somehow make it impossible for it to be a major firm if he is not? Most likely firms hire him as an independent contractor ... as most do, hence almost all those in the link use their personal contact info. Regardless let's say it is just a random person, does that make it resonable to ignore a security flaw on Sony's behalf?

The only one reaching is you for trying to find any reason you can to justify Sony ignoring security issues consistently.

donthate1359d ago (Edited 1359d ago )

SQL injection the oldest trick in the book is a vulnerability on PSN?

Wow! Just wow!

The kicker, notified 2 weeks ago and no response!

Parametrized queries will fix this in no time and can be done by 10-year old programmers. In fact, this is the sort of thing you prevent easily by having a policy of only using parametrized queries. All major websites do this, let alone a paid network serving 100's of millions of people.

Sony do you have such incompetent programmers or do you not care?

I guess it is your customer data and not Sonys'.

Last time this happened in 2011 when Sony got hacked, all Sony got was a slap on the wrist after again ignoring customer information safety and neglected to patch their server software. Again something they should do as routine maintenaince.

There is one thing that mistakes happen and completely another to willfully ignoring blatant security issues:

http://www.vg247.com/2011/0...

This is quite amazing really!

Christopher1359d ago (Edited 1359d ago )

***SQL injection the oldest trick in the book is a vulnerability on PSN? ***

You lost me there.

As far as Web-based vulnerabilities, SQL Injections are far form the oldest or most common forms of vulnerabilities. XSS is way more common as well as many other JavaScript vulnerabilities.

***Parametrized queries will fix this in no time and can be done by 10-year old programmers. ***

Your hyperbole aside (10-year old programmer? Really? I know professional Web developers who still don't do it all over the place), your are right that they should be doing this as well as stored procedures.

***All major websites do this, let alone a paid network serving 100's of millions of people***

Actually, they don't. There are still massive security flaws on Yahoo! and there have been various other security flaws of this type on Google sites, Microsoft sites, and more. Heck, MS had to do some major updates to SharePoint due to SQL Injection issues even.

The difference I will give them is that they respond almost immediately to these things. Sony? Not sure what the heck they're doing.

donthate1359d ago Show
d0x3601359d ago

@nick by this point I doubt Microsoft has many security issues at all with live. User data has never been stolen via a hack and while the bug that kid found was awful it only had existed for a couple weeks after an update and redesign to the site took place. Even still no user data was compromised.

Sony on the other hand has had user data stolen from psn, they also had the root not fiasco, psn constantly being down and now a security advisory from a firm of which they haven't commented on and now that information is in the wild that it exists you can safely bet your very last dollar there are currently multiple people groups and trying to actively exploit it. They watch the watch dogs waiting for news like this and race to get in before something can be patched and Sony has proven they have a very bad track record with patching.

They should take psn offline and investigate immediately whether the threat is credible or not.

mechlord1358d ago

Thats not exactly how these things go.
When someone on the white side of things finds a vulnerability they first alert the offending party, in this case SONY, They give them enough time to patch the problem and most times only publish the vulnerability after it has been patched. Thats the etiquette white hats use and thats the standard professional procedure.

It has nothing to do with public pressure.

Christopher1358d ago

***
"SQL injection (SQLI) is considered one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web Application Security ***

Now, look at the quote I was talking to. Tell me, does "the top 10" equate to "oldest vulnerability in the book"?

So, rant on as you please, but at least acknowledge the quote I am speaking towards.

XSS is also in the top 10... and it's also older than SQL Injection...

***Something else more common doesn't make something else less common! ***

I didn't say it did! Again, you need to read the quote I am talking towards, not just my words without any reference point. That's why I take the time to quote the parts that I am replying to.

***Don't excuse that simply because it is your favorite company! ***

Show me where I excused it?

***I hope the mod gods doesn't ban me though for speaking my opinion against their goal.***

The sad thing is... you were okay up until you called me a troll and made this remark.

Too bad you don't know how to read my comment as it's intended and instead insinuate that I'm somehow supporting Sony in this.

+ Show (8) more repliesLast reply 1358d ago
oODEADPOOLOo1359d ago (Edited 1359d ago )

Dosent help they made user info including credit cards mandatory and not user-removable. I'm gonna have to double check if card on my account has protection. Dumb move on Sony to require CC on account instead of making it an option at time of purchase, guess people gonna have to learn the hard way.

@ lil and Bibty

It did require credit info for trial when I first got PS4 and It wouldnt let me remove it later on. I can only substitute the card for another.

lilbrat231359d ago

You can remove your credit card info and you are not forced to put in your CC info.

BitbyDeath1359d ago

Credit cards aren't mandatory, why do you think this?

thereapersson1359d ago

@bitbydeath @ lilbrat23

Why let facts stand in the way of sensationalist hyperbole?

XabiDaChosenOne1359d ago

Excuse but you are a liar, I put in than removed my credit card information last night thank you very much.

+ Show (2) more repliesLast reply 1359d ago
rainslacker1359d ago (Edited 1359d ago )

Well...the severity of the threat isn't really known from this article, and the author of the article doesn't say exactly other than to say it's serious. Some broad claim that it may lead to attackers getting data doesn't say much as to what kind of data they would receive.

SQL injections are extremely common, and I guarantee you almost every site that uses SQL has at least one somewhere within it's code which may or may not be discovered. Sometimes they can be quite serious(one mentioned in the article), and sometimes they can be quite banal.

For those that don't know, SQL is a database server/program that is used for holding information in most organizations, and it makes up a pretty big chunk of data driven websites, and is used to hold most data within organizations as well.

Basically an SQL injection just allows for an unchecked SQL command to be used when accessing a website, so the attacker can change the data that is retrieved from that command. If that command happens to be tied to sensitive user data, then it could lead to personal information being leaked.

I"m glad the person who found this contacted Sony though instead of just making it public. As far as why Sony hasn't fixed it, it's either because they don't feel it will lead to the loss of sensitive information, or they haven't found a way to fix it yet. Given Sony's history in server hacks, I'd say it's probably the former...I highly doubt they'd want a repeat of that.

It's also possible that the information received from using this attack would only return encrypted data which would be useless to the attacker, so as of now there isn't much need for concern. But it's worth finding out if Sony has plans to fix it, or if they've already fixed it. Since this article didn't bother to contact Sony for an answer, we'll just have to take their word for it for now.

+ Show (2) more repliesLast reply 1358d ago
TheLyonKing1360d ago

There is no way to fully know unless it happens but they will have contacted sony about the issue I assume rather than tell magazines and websites first.

Its a simple thing to stop and I imagine the sql would only affect a small part of PSN rather than the whole thing. The key word is could its not been proven it can and sony might have prevented it by some other means.

GameDev11360d ago

"its not been proven it"

Exactly, people will eat up anything on the internet these days

Considering Sony's past breach, I could easily write a blog up myself on how I hacked Sony's website and people will believe me yet I have no security or hacking skills

They didnt even contact Sony the right way as they should have donw it through tech support

There is no evidence or proof from them and they said they wanted to release the information, and this was reported to Sony on 9th of October, if they have any evidence at all of the information they hacked and Sony still hasnt done anything, from the 9th till now they would have released the information

Very fishy imo

Mulando1359d ago (Edited 1359d ago )

Golem is a professional online magazine and not someones blog. They should be trustworthy.
And if they say they contacted the support, I don't think they mean the normal customer support.

GameDev11359d ago

@ Mulando

professional online magazine or blog. Not the point I am making, on both opinions and news are written and this one has no evidence of any vulnerability, it is just some saying they did an SQL injection and acquired data showing no proof at all

Then for a professional security team not being able to contact the right support, they are meant to ccontact tech and security support

Again with Sony's previous breach, anyone can claim they hacked Sony and people will believe them, with no evidence especially after two weeks of telling Sony.

This is just a claim with no evidence and nothing more

Th4Freak1359d ago (Edited 1359d ago )

@GameDev1 and what the hell do you want them do to? Release a PoC so we all get out accounts information dumped? I'm not sure if you're really that dumb or just a blind fanboy, perhaps both...

Christopher1359d ago

Yeah. I highly doubt their SQL Injection gives them any true access to anything more than public info and not actual passwords or the like (which are stored in hash form and not cleartext).

But, regardless, SQL Injections are easy to fix in the overall scheme of things. So, Sony should be able to fix this.

The fact that they have a SQL Injection vulnerability, even on basic, public info, is kind of worrisome. It's one of the key things a Web programmer should be testing against at every step of development.

Bladesfist1359d ago

I am always surprised when I look at how incompetent the web development teams for some of these big companies are. Hopefully the SQL User that they are using for this has only got the permissions that it needs but I would not bank on it.

Christopher1359d ago

Sadly, Bladesfist, I'm not surprised. 9/10 Web programmers I've worked with do least amount possible and don't keep in mind security until they get tested for it. And, even then, they typically just fix the issues that the analyzer found, not all of them.

rainslacker1359d ago (Edited 1359d ago )

Nothing said what kind of information could be retrieved from this. For all we know all it could retrieve is what time a particular user logged in, if a person knew a particular users screen name...although with SQL injection a more broad search could be used.

Certainly not devastating.

I like that the person who found this did contact Sony, but I wonder why the article didn't bother to ask Sony for comment. Apparently it's just taking the attackers word for the fact that it isn't fixed. it also doesn't say if the injection could be rejected server side, which is a definite possibility since checks can't be seen on the server itself without performing an injection...so it makes me wonder if the person who found it actually tried to retrieve information using an attack.

Too many unknowns from this article to make a big deal about it. Hopefully some website will use it to get a comment from Sony though. If it's an issue, it should be addressed, but no need to fear monger when a bit of prudence in reporting can make a much clearer picture.

Volkama1360d ago

Well... hopefully these guys are the first and only ones to find the vulnerability.

I wonder if they openly share the details with Sony, or if they say "we've found something... you'd best pay us to tell you"? Companies can't operate on good will.

whoyouwit041360d ago ShowReplies(3)
Alex_Boro1359d ago

Sony needs to step up their security game