PSN Password Reset Exploit Discovered

Game Rant

By GR Staff

Published May 18, 2011

In yet another blow to the service, an exploit has been found in PSN's password reset system. Should you be worried? Read on for all the details.

Just days ago, Sony finally began to bring PSN services back online after a protracted outage. In an effort to garner good will, Sony has taken a number of steps, including providing identity theft insurance for PSN users and offering free games as part of a "Welcome Back" promotion. With E3 2011 just ahead, Sony no doubt hopes that the worst of the situation is behind them. Unfortunately, it now appears that users may have a new reason to be wary of PSN.

In order to connect to the restored PSN, customers are asked to download firmware update 3.61, which requires "all registered PlayStation Network users to change their account passwords before being able to sign into the service." Account passwords can also be reset on PlayStation.com. Password reset requests have been so numerous that they've been slowing PSN restoration, but it seems that speed isn't the only problem with the process.

According to Eurogamer, an exploit in the PlayStation Network password reset system has been discovered that enables hackers to change players' passwords. The exploit makes use of PSN account holders' birthdates and email addresses, millions of which were compromised during the attack on PlayStation Network.

Currently, users can not log in to PlayStation.com or the PlayStation forums. Attempting to do so brings the following site maintenance message.

Sony is obviously aware of the situation, though they appear to disagree on the specifics. While they admit an exploit existed, they claim already to have addressed it, and adamantly deny that any sort of "hack" was responsible. From the PlayStation Blog:

"We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed."

"Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up."

No time frame for the return of website in question has been established.

In its statement, Sony appears to be downplaying the seriousness of this latest situation. Given recent history, though, one has to wonder just how such an exploit made its way into Sony's password reset process. Sony has already been roundly criticized over the PSN situation, from the amount of time it took them to notify customers to the welcome back rewards being offered. Sony had to answer questions for Congress. That they would allow customers to be exposed to yet another vulnerability -- however minor -- during this process borders on the inconcievable.

Ranters, what is your take on Sony's latest PSN problem? Will the company ever be able to put this issue behind them?

Follow me on Twitter @HakenGaken

Source: Nylevia [via Eurogamer], PlayStation Blog