For reals though. Again? PSN has never had security/hacking issues.

I had no idea Yoda moonlighted in tech security. "Reaction Sony has not so far". My head kinda hurts. I read these universal translators were on the edge of a breakthrough a year ago. Someday.

So overall, disturbing, particularly the two weeks of inaction, but easily preventable...

Shuhei Yoshida is wasting all PS+ money in hookers, it seems.

The best part is the "chime in the rile them up further", which was his own intent lol.

And to be back on topic, any publicly accessible server is vulternable to attack, PSN and XBL have both been attacked and user data stolen multiple times, through various vectors, even indirectly at times (thanks, Fifa).

Generally when an exploit is found it's tested and the actual feasible potential is given, not "could soon lead to" with no actual assertainable proof, when I uncovered an XSS vulterability in out of page token emulation back in 2011, i compiled a working script for doing just that and submitted this along with a detailed rundow on what was wrong and what modules would need to be patched to fix it - within one hour of handing this in the web login servers for all playstation a associated networking functions had been taken down and the patches i outlined were applied.

Most sites have vulterabilities, they just vary from severity, if a site had profile data on the same database as login data, an overflow or a step into or out of a table container will get you the goodies, usually salted passwords, but if publicly accessible data is stored on a separate database to sensitive data, no amount of exploitation and dumping will give you access to the sensitive data, which is why I chimed in.

This vulnerability has been doing the rounds with security advisories for the past few days and the best anyone can do with is is dump pubicly pollable data, such as numerical user id, psn id and associated salted email account, all things fairly easy to obtain without an exploit, everything else is on not only a different database, but a completely different server, changes they made in the wake of the 2011 attacks.

And no, it's not likely that the person reporting this actually publicly released what he/she found, however as you should know by now, all it takes is for someone to point in the direction of something vulnerable and the security community and the nice folks over on sites like packetstorm and securityfocus don't really have to search long before they find the same hole.

As things now are, a login request is sent to one server which then queries a private linked server internally, communications between the two isn't sniffable, data is only transmitted through the public server to the client if the auth completes successfully.

Sorry if knowledge prevents me from riding the hate train OP, hopefully the more detailed explanation is understood.

no whats ironic is such "security" experts saying i found a vulnerability and what? not point to where it is to the corp? but, yeah we are so looking out for you and your consumers. than say hey i pointed it out two weeks back and you still nnot fixed it?

ie: pay me or it goes public...hey allow us to use our resources to find an vector of attack vs your network security..hey you have one too..better get that fixed asap..

lmao... because these security experts are so worried about other peoples security protection..thats like asking a cat burgler for what is method to break in and all his methods that he use....lol.

Really horrible that sites which aren't in English say something because they are automatically "unknown" and have no idea about anything!

Only sites which speak English so that you from an English speaking country knows the site are reputable, right? Dude...

And that doesn't even have anything to do with this topic now but I read stupid stuff like that plenty of times of people who think a site which is unknown for them because it is in another language is automatically useless for information. 

The only reason why more people know a site in English is because most people understand it. That doesn't make them better or more reputable as French, German or Dutch sites. 

That said we are still seeing threads based on sites which are in English, yet have a bad reputation.

Any links for this?

so in other words this security "expert" points out a vulnerability in security and was stated it was pointed out 2 weeks ago and it being a SQL injection and yet stated nothingnwas done about it?

I mean, its pretty Ironic all this very rough patch network problems that Sony has all going on so much just so happens to be a land slide all happening all at once. such a quinkie dink

lmao so many problems that there is another companies network service waiting with open arms for those tired of the poor excuse for a network by sony. instead you could go to a rock solid network that takes your consumer security as priority #1

please buy our service and into our eco system.

but that is just some fanboy logic, no companies or people would ever go to such lengths to undermine another companies product or service.

just like no company had groups of hackers wanting to make an example out of such corp for the removal of linux os..no none of that could ever go on...

lmao

Research on active vulnerabilities isn't published on their site unless the vulnerability leads to a critical flaw, or unless the hole (however small) has been patched, if you want to sniff the sidetracks by all means join their newsgroups or IRC channels.

The other thing to keep in mind is that they would not publish the vulnerability as "PSN HACK!", or even mention psn at all, they would publish it specifically under the module or platform it's running, such as apache, an associated module, or OS this keeps the people with a solid grasp of these things in the loop and the script kiddies out.

I.e. you need to know what platform, what OS, what server software, what version of said software, what SQL driver and so on.

If you're expecting a link to "hack found for psn login servers" then you do not understand how security advisory websites work.