14 DAY TRIAL // Details of Sony Playstation Network users could be at risk due to a blind SQL injection bug in the website, a penetration tester claims.
20-years-old Aria Akhavan from Austria says that he uncovered the flaw that could allow an attacker to obtain information from the customer database by using SQL queries.
Glitch is more difficult to exploit, but not impossible
A blind SQL injection is more difficult to exploit than regular SQL injections are, because the data is not displayed on the web page directly. Instead, the page returns a generic error message and the attacker needs to ask true or false questions through SQL statements in order to retrieve the database information.
Although this type of attack requires more time to be carried out, it can be sped up by using automated tools when the target and the vulnerability have been pinpointed.
The security researcher said in an interview to Effect Hacking that Sony was contacted about the matter in the middle of October, but by the end of the month an answer was still to be received.
Akhavan also said that, at the time of the interview, the flaw had not been fixed. It is unclear what kind of data could be gleaned from this security vulnerability, but usernames and password hashes may be the least data that could be extracted.
Sony has a history of data breach incidents
The penetration tester started reporting website vulnerabilities this year, in July, and has already alerted companies such as eBay and Avast of glitches that could be exploited by third parties.
However, Akhavan said that he’d been studying penetration testing techniques for about five years; he declined to share an earnings total as a result of responsible disclosure of the bugs to companies.
Sony is a constant target for hackers, and in a recent incident, a group known as the Lizard Squad initiated a massive DDoS (distributed denial-of service) attack on the company’s services, cutting off access to the online playing network in various regions of the world.
DDoS attacks are not designed to steal information, although they can be used to distract from a different attack that has this purpose.
Back in 2011, Sony fell victim to multiple attacks from hacker outfits of the time, Anonymous and LulzSec. The latter managed to retrieve customer information (passwords, email addresses, home addresses, dates of birth, and Sony opt-in data associated with their accounts) of over one million users of SonyPictures.com, by leveraging a simple SQL injection vulnerability.
A previous attack on PlayStation Network, however, led to the compromise of personal and financial records of at least 77 million customers.