Tachikoma said:
This vulnerability has been doing the rounds with security advisories for the past few days and the best anyone can do with is is dump pubicly pollable data, such as numerical user id, psn id and associated salted email account, all things fairly easy to obtain without an exploit, everything else is on not only a different database, but a completely different server, changes they made in the wake of the 2011 attacks. And no, it's not likely that the person reporting this actually publicly released what he/she found, however as you should know by now, all it takes is for someone to point in the direction of something vulnerable and the security community and the nice folks over on sites like packetstorm and securityfocus don't really have to search long before they find the same hole. As things now are, a login request is sent to one server which then queries a private linked server internally, communications between the two isn't sniffable, data is only transmitted through the public server to the client if the auth completes successfully. |
Any links for this?
