walsufnir said:
Tachikoma said:
Tamron said:
Yes mr high and mighty.
|
This vulnerability has been doing the rounds with security advisories for the past few days and the best anyone can do with is is dump pubicly pollable data, such as numerical user id, psn id and associated salted email account, all things fairly easy to obtain without an exploit, everything else is on not only a different database, but a completely different server, changes they made in the wake of the 2011 attacks.
And no, it's not likely that the person reporting this actually publicly released what he/she found, however as you should know by now, all it takes is for someone to point in the direction of something vulnerable and the security community and the nice folks over on sites like packetstorm and securityfocus don't really have to search long before they find the same hole.
As things now are, a login request is sent to one server which then queries a private linked server internally, communications between the two isn't sniffable, data is only transmitted through the public server to the client if the auth completes successfully.
|
Any links for this?
|
Research on active vulnerabilities isn't published on their site unless the vulnerability leads to a critical flaw, or unless the hole (however small) has been patched, if you want to sniff the sidetracks by all means join their newsgroups or IRC channels.
The other thing to keep in mind is that they would not publish the vulnerability as "PSN HACK!", or even mention psn at all, they would publish it specifically under the module or platform it's running, such as apache, an associated module, or OS this keeps the people with a solid grasp of these things in the loop and the script kiddies out.
I.e. you need to know what platform, what OS, what server software, what version of said software, what SQL driver and so on.
If you're expecting a link to "hack found for psn login servers" then you do not understand how security advisory websites work.
