Tachikoma said:
IRC was discussing the find, some people did some poking, found that the login server is running a slightly older version of a particular module that is vulnerable to attack, as i said in my first and second posts though, the absolute maximum said vulnerability would expose would be numerical user id (useless), psn id (public info anyway) and salted emails (less useless but not worth cracking), the login servers were splintered away from the primary servers in 2011, hence why psn was down for so damn long. The only way you could ever crack the userdb now would be to directly access the internal accounts server, which would involve a complete takeover of the login server (something sql injection isn't going to give), especially since their login servers are just multiple VM's on blade servers. |
So IRC it was, ok... Well, whatever. Perhaps we get some official info on what is possible with this and what is not but the fact that there even is a vulnerability based on SQL injection doesn't put a good picture on Sony's attempt to secure their network.
And why do you explicitely mention blade servers running vm's? Nobody was expecting them to use one server.
