A 20-year-old Austrian penetration tester claims that the credentials of Sony Playstation Network users might not be safe due to a blind SQL injection vulnerability in the website. Aria Akhavan explains that the bug could let attackers collect information from the customer database with the help of SQL queries.
Blind SQL Injections Are Rather Hard to Exploit
A blind SQL injection is not as easy to exploit as a regular one because the information is not directly displayed on the page. Rather, the page sends back an error message, and the hackers have to ask true or false questions via SQL statements to retrieve the information from the database.
Such attacks require more time in order to be completed, yet, the process can be sped up if the cyber criminals decide to use automated tools as they identify the vulnerability and the target.
Akhavan shared in an interview that the company has been informed about the glitch in October, but there was no reply till the end of the month. The researcher added that the vulnerability hasn’t been patched at the time of the interview. The exact type of information that can be collected is not clear, but log-in credentials may be the least of the problems.
Sony Data Breach Cases Go Way Back
Akhavan has already warned numerous companies like Avast and eBay about vulnerabilities that can be easily exploited by questionable third parties. The penetration tester has been studying techniques to identify flaws for about five years. He refused to share what kind of profit he had made from reporting vulnerabilities to different companies.
Sony has been targeted by cyber criminals constantly. One of the fresh examples is the massive DDoS attack by the Lizard Squad that blocked the access to the company’s online playing network in several world regions. Although DDoS attacks are not meant to steal data, they can be exploited by cyber criminals to divert the attention from another attack that may be designed for this purpose.
In 2011, Sony was a target of numerous attacks. The hacker group LulzSec has acquired information like emails, passwords, dates of birth, home addresses, etc. of more than one million Sony Pictures.com clients. The outfit had exploited a simple SQL injection flaw. An earlier PlayStation Network attack though led to the leak of financial as well as personal records of about 77 million customers.
