Sony Online Entertainment Accounts Vulnerable to Brute Force Password Reset
A few months ago I began to recieve numerous spam emails from Sony Online Entertainment. Obviously, some poor kid had typed in my email address instead of his own when signing up for the online gaming platform.
As a nice guy, I sent SOE customer service an email asking for my email address to be removed. ( I do not like being awoken by a beeping cell phone in the middle of the night). Sure, I could have just flagged the email as SPAM, and gone on with my life. But I thought the honest, correct and ‘right’ thing to do was to get this poor kids account actually corrected.
I received no response from Sony Online Entertainment Customer Service.
After being awoken several times more, my attitude for SOE turned ‘twords the unfavorable side. I thought, “why don’t these people simply respond, and why won’t they stop sending me crap when requested?”. So I attempted to have this corrected once again:
God fucking admit you have the wrong email address stop sending me this
Sent from my iPhone
On Feb 27, 2015, at 4:40 PM, Sony Entertainment Network
Wallet Transaction Notification: Funds Added.
The requested funds have been added to your Sony Entertainment Network wallet. The transaction details are provided below for your records.
The Sony Entertainment Network Team
Online ID: imabad460
Order Number: 8052327724
Date Purchased 02/18/2015 @ 11:10 AM
Charge Method: MC 5516********4375
Funds Added To Wallet: $9.99
Current Wallet Amount*: $9.99
*This wallet amount is current as of the date and time of this transaction.
To update your marketing preferences, please click here.
This e-mail message has been delivered from a send-only address. Please do not reply to this message. For more information about your account, please visit the links below.
“Sony Entertainment Network” and “Sony Entertainment Network Logo” are trademarks of Sony Corporation.
Again, no response. Poor ‘little imabad460. It seems SOE is not interested in fixing this problem for its customer.
Then in March of 2015, after being awoke several times again from SOE spam, I decided to call SOE customer support. The nice foreign guy at the call center did not seem to be concerned that their company was sending out spam to non customers after being asked nicely not to. He said he would send me a password reset. I told him that was the problem, please stop doing so. He then demanded my name, and I explained to him that my name is irrelevant since I am not an SOE customer. This went on and on and they said they would send a verification email to the email address in question. They did, and I responded with:
Do Not Reply firstname.lastname@example.org via rg4l6fsz62gjayab.5q95zs6dsyqcprg9.a50sj.i-h5efeac.na15.bnc.salesforce.com
Mar 18 (4 days ago)
Send the email to “email@example.com”
Subject line: ATTN: Sony Entertainment Network account Email Investigations, Case Number#
Body of the email: Include your name and Case number
Be sure to document in the “Case Feed” the email is being used without permission.
05183358 this is the case
Mar 18 (4 days ago)
Yes I do not have a Sony account, please stop sending me emails. The account holder has used the wrong email address
Sent from my iPhone
> On Mar 18, 2015, at 12:44 PM, Do Not Reply
> Send the email to “firstname.lastname@example.org”
> Subject line: ATTN: Sony Entertainment Network account Email Investigations, Case Number#
> Body of the email: Include your name and Case number
> Be sure to document in the “Case Feed” the email is being used without permission.
> 05183358 this is the case
Since then, I just keep receiving Account password links from Sony. So I thought to myself. “I will just fix it myself!”. I clicked on the password reset link that they sent me, and was taken to a birthdate verification page. This is where the exploit was found.
That is when I discovered that the Sony Online Entertainment password reset webpage does not timeout for failout after x amount of attempts. This is a large security hole. By my math it should take 365 dates (1-31x12months) x 40 ‘years’ (1975-2015) approx less than 15,000 attempts before the password reset is brute forced.
Weak Sauce SOE! Can’t you just remove my email address from your system as requested?