Sony Online Entertainment Accounts Vulnerable to Brute Force Password Reset

Sony Online Entertainment Accounts Vulnerable to Brute Force Password Reset

A few months ago I began to recieve numerous spam emails from Sony Online Entertainment. Obviously, some poor kid had typed in my email address instead of his own when signing up for the online gaming platform.
As a nice guy, I sent SOE customer service an email asking for my email address to be removed. ( I do not like being awoken by a beeping cell phone in the middle of the night). Sure, I could have just flagged the email as SPAM, and gone on with my life. But I thought the honest, correct and ‘right’ thing to do was to get this poor kids account actually corrected.

I received no response from Sony Online Entertainment Customer Service.

After being awoken several times more, my attitude for SOE turned ‘twords the unfavorable side. I thought, “why don’t these people simply respond, and why won’t they stop sending me crap when requested?”. So I attempted to have this corrected once again:

to Sony
God fucking admit you have the wrong email address stop sending me this

Sent from my iPhone

On Feb 27, 2015, at 4:40 PM, Sony Entertainment Network wrote:

Sony Entertainment
Network
Wallet Transaction Notification: Funds Added.

Dear glenn,

The requested funds have been added to your Sony Entertainment Network wallet. The transaction details are provided below for your records.

Thank you,
The Sony Entertainment Network Team

Online ID: imabad460
Order Number: 8052327724
Date Purchased 02/18/2015 @ 11:10 AM
Charge Method: MC 5516********4375
Funds Added To Wallet: $9.99

Current Wallet Amount*: $9.99
*This wallet amount is current as of the date and time of this transaction.

To update your marketing preferences, please click here.

This e-mail message has been delivered from a send-only address. Please do not reply to this message. For more information about your account, please visit the links below.

Support:
http://www.us.playstation.com/corporate/contactus/

Terms of Use and Privacy Policy:
http://www.sonyentertainmentnetwork.com/legal/

“Sony Entertainment Network” and “Sony Entertainment Network Logo” are trademarks of Sony Corporation.

SOE

Again, no response. Poor ‘little imabad460. It seems SOE is not interested in fixing this problem for its customer.

Then in March of 2015, after being awoke several times again from SOE spam, I decided to call SOE customer support. The nice foreign guy at the call center did not seem to be concerned that their company was sending out spam to non customers after being asked nicely not to. He said he would send me a password reset. I told him that was the problem, please stop doing so. He then demanded my name, and I explained to him that my name is irrelevant since I am not an SOE customer. This went on and on and they said they would send a verification email to the email address in question. They did, and I responded with:

Do Not Reply do-not-reply@playstation.sony.com via rg4l6fsz62gjayab.5q95zs6dsyqcprg9.a50sj.i-h5efeac.na15.bnc.salesforce.com
Mar 18 (4 days ago)

to me
Send the email to “pscustomer_service@playstation.sony.com”

Subject line: ATTN: Sony Entertainment Network account Email Investigations, Case Number#

Body of the email: Include your name and Case number

Be sure to document in the “Case Feed” the email is being used without permission.

05183358 this is the case

ref:_00Di0H5ef._500i0MVrtu:ref

Laguna Computer
Mar 18 (4 days ago)

to pscustomer_service@playstation.sony.com
Yes I do not have a Sony account, please stop sending me emails. The account holder has used the wrong email address

Sent from my iPhone

> On Mar 18, 2015, at 12:44 PM, Do Not Reply wrote:
>
> Send the email to “pscustomer_service@playstation.sony.com”
>
> Subject line: ATTN: Sony Entertainment Network account Email Investigations, Case Number#
>
> Body of the email: Include your name and Case number
>
> Be sure to document in the “Case Feed” the email is being used without permission.
>
> 05183358 this is the case
>
>
> ref:_00Di0H5ef._500i0MVrtu:ref

soe2

Since then, I just keep receiving Account password links from Sony. So I thought to myself. “I will just fix it myself!”. I clicked on the password reset link that they sent me, and was taken to a birthdate verification page. This is where the exploit was found.

That is when I discovered that the Sony Online Entertainment password reset webpage does not timeout for failout after x amount of attempts. This is a large security hole. By my math it should take 365 dates (1-31x12months) x 40 ‘years’ (1975-2015) approx less than 15,000 attempts before the password reset is brute forced.

Weak Sauce SOE! Can’t you just remove my email address from your system as requested?

Brute Force Vulnerability in Sony Entertainment Online's Account Password Reset Webpage
Brute Force Vulnerability in Sony Entertainment Online’s Account Password Reset Webpage

BitFinex Bitcoin Exchange Experiences Major Margin Limit Accounting Glitch

BitFinex Bitcoin Exchange Experiences Major Margin Limit Accounting Glitch

Starting the evening of Tuesday Feb 5, 2014, the Hong Kong based bitcoin exchange BitFinex experienced a MAJOR Margin Limit Accounting Glitch.

I had about BTC 0.38 in my account (approx $300 USD), and suddenly could trade with a margin of over $130,000!
I was able to make a few small trades before the error was notices, the exchange locked up, and the error was fixed. My outstanding position with over $4000 in ‘overdrawn’ margin was promptly cancelled by morning.

If I ever see this glitch again I will not hesitate to take out a $130,000 position and trade with it.
bitfinex_margin_glitch

TP-Link TL-WR703n External Antenna Mod

TP-Link TL-WR703n 3G Router External Antenna Mod

Here are some helpful links:

http://blagg.tadkom.net/2012/09/15/better-wr703n-antenna-mod/

http://blagg.tadkom.net/2012/09/01/wr-703n-external-antenna-mod-diy/

http://www.modlog.net/?p=429

Step 1. Drill A Hole

20130816-161529.jpg

 

Step 2. Cut the two Internal Antenna PCB Traces as shown here: http://blagg.tadkom.net/2012/09/01/wr-703n-external-antenna-mod-diy/

I decided to keep the J1 resistor and C114 capacitor as they orignally were after reading some comments suggesting the signal strength would be better leaving them alone.

Step 3. Solder on Antenna Pigtail Cable.  My cable was scavenged from a broken cheapie $5 USB Wifi adapter.  The soldering was hard.  It is just really small down there.  Here is a trick: put a blob of solder on the tip of your hot iron.  Now smear that melted blob OFF onto a dry sponge.  Now you should be able to PICK UP a SMALLER BLOB of solder and place it where you want.

I used tape to hold down the wire.  As you bend the cable, it puts a lot of tension on the two little solder points.  If you do not hold down the wire somehow, your precious little solders will eventually break off.  Since the tape will eventually fail, it would be far better to hold the wire down with a blob of hot glue gun stuff.20130816-161545.jpg

 

Step 4. Insulate, Assemble and Test.  Make sure you insulate the two little R82 resistors under the antenna fitting metal.  You do not want to short out the circuit board with the metal from the antenna screw fitting inside the case.  A small piece of sturdy electrical tape under the brass nut should cover and protect R82.20130816-161559.jpg

Finished!20130816-164449.jpg

The Pager Bomb Attack

The Pager Bomb Attack

Destroy your enemy by flooding them with calls from angry pager owners.

Here’s How!

1. The Enemy: Lets say your enemy has the phone number of 714-999-8888.  We are going to ‘pager bomb’ him.

2a. Obtain a Pager #: Since most people will only answer a page from the same area code, we need some local pager numbers (714 in this example).  Google search something like “714 pager number”

2b.  Refine a Pager #: I find that doctors are the only ones using pagers nowadays.  This is perfect because they usually really don’t like to be paged (especially while on the golf course right?).  Also, they are easier to find, because hospitals and office often list emergency pager numbers on their website.  PERFECT!.  So modify that Google search to something more like “714 emergency pager number” or “714 doctor pager”.  You get the idea.

Example: google search link http://www.alz.uci.edu/ucimind/contact-us/ lists

Primary Pager: 714-506-4004  Secondary Pager: 714-506-4005 These are doctors pager numbers.  They will not be happy to be paged unnecessarily.  Too bad for our enemy, he will have to deal with it.

2c. Expand and Find Pager Block:  Most pager #’s are sold in blocks.  Therefore if 714-506-4004 and 714-506-4005 are pagers, then yep you guessed it, 714-506-4006 thru 714-506-4100 are probably also pager numbers.  Call and confirm where the number suffix ends for the block.  Basically you have found 714-506-4004, and then discovered 100 more pager numbers by just incrementing the last four digits.  EASY.

You should now have at least 20 pager numbers.

Step 3. The Attack: Start dialing away, you know how a pager works.  Dial the pager, wait for the beep, then enter the Enemy’s phone number.  Repeat with the next pager number.

Note: use the memory recall button on your phone to store the enemy’s number so you don’t have to retype it over and over.

Suggestion:  Get an old PC with a fax modem, and a copy of FreeDOS, and your favorite wardialing program such as GunBelt (yes I am that old) and automate the whole attack.

Your victim should now receive many calls from pissed off people, wondering why he paged them.  After about the 40th call in 10 minutes, the attack can be considered ‘successful’.

See Also Conference Call Attack