May 19, 2011, 6:00 AM — Sony and Microsoft both had PR snafus yesterday, but only one company came out of it smelling like a rose.
Sony is the one who didn't, which seems par for the course these days. I've had a lot of patience with the company and have even defended them during the recent hack and the ensuing PSN downtime. But this I cannot forgive.
Here's what happened. Someone discovered a way to reset another user's password via the PSN and Qriocity websites. What's supposed to happen is that you enter your email and birthdate, and you get sent an email with a link to click to verify that you want to change your password. But by manipulating URLs clever miscreants were able to bypass the link-clicking step. Kotaku listed the steps given to it as follows:
1) Navigate to : https://store.playstation.com/accounts/reset/resetPassword.action?token (this is normally, via email, https://store.playstation.com/accounts/reset/resetPassword.action?token=... with the y's being a unique token) - do not enter the code at this point.
2) Open a new tab in firefox, and go to fr.playstation.com (other pages will work too most likely), and click Login (Connexion)
3) Click Recover password
4) Enter the email and date of birth of the target account
5) Click continue, then on the confirmation page, click "Reset using E-mail"
6) Switch back to the original tab, and enter the code, then click continue
7) You will now be asked to enter a new password for the target account
I haven't been able to clarify the exact steps (like where the code in step 6 comes from) because Sony brought the sites down to fix the exploit, but this seems like a pretty basic flaw in their security. After all the scrutiny and loudly announced hiring security consultants, they come back online and two days later someone has figured out this simple way to bypass their new security system? Really, Sony!?
Now, a cooler head will point out that you need to know the email account and birthdate of the person, and still they'll get two emails, one saying "Click here to reset your password" and a second saying "You've successfully reset your password!" which should alert anyone who has lost access to their account, and Sony did immediately take down the websites to fix the problem...
But this shouldn't have gotten past them in the first place, and worse was the post on the Playstation Blog which said, in part:
Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.
That strikes me as arguing semantics when you ought to be apologizing yet again for totally dropping the ball on security. When someone changes my password and by doing so can get into my account and see all my information, it doesn't matter if it was via a "hack" or a "URL exploit." It matters that once again you've let me down, Sony!
Now compare that debacle with the problem that has surfaced over in the Xbox 360 camp. It turns out that a recent system update (though Microsoft is being coy about which one, exactly) has rendered some old Xbox 360s unable to read the disks that new games are coming on.
So what is Microsoft doing about it? First, they're pro-actively detecting the problem Xboxes via Xbox Live, and when they find one they reach out to the owners, offering them a new 250 GB Xbox 360 S (that's the whisper-quiet model that came out last summer) and a year of Xbox Live Gold membership. In most cases the people who have gotten this offer haven't even been aware there's a problem. Shacknews has the full story, and Engadget posted a screenshot of the letter one user received (though they attribute the problem to the update that is currently in testing, which I think is wrong).
Crisis averted, and Microsoft comes out looking like a great company that really cares about its customers. I hope Sony is paying attention; maybe they'll learn something. In the meantime if you have an old Xbox 360 laying around, it might be worthwhile to connect it to Xbox Live so it can phone home to the mothership; if it's one of the 'very few' problematic units, you might score a new game console!