habib
Developer
So guys i would like to let you know about some of sonys exploit which got patched and i would like to disclose. its related to ps3 so here goes one exploit which is very interesting
1.CONSOLEID LEAK:
if you activate the ps3 as primary your consoleid is registered and if you look traffic in charles when you go to device management section on website(https://dms.api.playstation.com/api/v1/devices/accounts/me)your consoleid of ps3 will be listed. sony took action on this for 1 week which is why you could not deactivate all. now they use different device identifier vita/ps4/ps3 millions of consoleids are hacked at this point. bug fixed.
2.SONY FORGOT TO CHECK CONSOLE TOKENS!:
its a critical mistake
https://auth.api.np.ac.playstation.net/2.0/oauth/token
the headers which went were
chunk = curl_slist_append(chunk, "Host: auth.api.np.ac.playstation.net");
chunk = curl_slist_append(chunk, "User-Agent: NpOAuthVsh/4.86");
chunk = curl_slist_append(chunk, "Connection: Keep-Alive");
chunk = curl_slist_append(chunk, content_length);
chunk = curl_slist_append(chunk, "Accept-Encoding: identity");
chunk = curl_slist_append(chunk, console_token);
chunk = curl_slist_append(chunk, "Content-Type: application/x-www-form-urlencoded");
chunk = curl_slist_append(chunk, "Accept:");
sony FORGOT to check for console token which breached millions of email and passes WITH your addresses and phone number, partial credit cards etc.
so this bug got patched very fast as soon as i discovered
3.Remember i told consoleid leak? it was linked to console token so you can see one could generate console token by a bruteforce attempt at every database hacked and you get a "hit" if you find consoleid you can reuse=NO BAN. ITS A RECURSIVE CYCLE!
all these bugs have been patched i would ask sony to please increase your bug bountry of criticals to 50k....people wont have incentive. because of your mistakes alot of peoples data has been breached.
stay safe, change email pass of your associated PSN/SEN account
for privacy reasons i will not disclose keysets and how to generate the token
this went on for 3-4 months. millions of accounts are hacked because of this including vita/ps3/ps4 and associated addresses and everything really.
regards,
habib
1.CONSOLEID LEAK:
if you activate the ps3 as primary your consoleid is registered and if you look traffic in charles when you go to device management section on website(https://dms.api.playstation.com/api/v1/devices/accounts/me)your consoleid of ps3 will be listed. sony took action on this for 1 week which is why you could not deactivate all. now they use different device identifier vita/ps4/ps3 millions of consoleids are hacked at this point. bug fixed.
2.SONY FORGOT TO CHECK CONSOLE TOKENS!:
its a critical mistake
https://auth.api.np.ac.playstation.net/2.0/oauth/token
the headers which went were
chunk = curl_slist_append(chunk, "Host: auth.api.np.ac.playstation.net");
chunk = curl_slist_append(chunk, "User-Agent: NpOAuthVsh/4.86");
chunk = curl_slist_append(chunk, "Connection: Keep-Alive");
chunk = curl_slist_append(chunk, content_length);
chunk = curl_slist_append(chunk, "Accept-Encoding: identity");
chunk = curl_slist_append(chunk, console_token);
chunk = curl_slist_append(chunk, "Content-Type: application/x-www-form-urlencoded");
chunk = curl_slist_append(chunk, "Accept:");
sony FORGOT to check for console token which breached millions of email and passes WITH your addresses and phone number, partial credit cards etc.
so this bug got patched very fast as soon as i discovered
3.Remember i told consoleid leak? it was linked to console token so you can see one could generate console token by a bruteforce attempt at every database hacked and you get a "hit" if you find consoleid you can reuse=NO BAN. ITS A RECURSIVE CYCLE!
all these bugs have been patched i would ask sony to please increase your bug bountry of criticals to 50k....people wont have incentive. because of your mistakes alot of peoples data has been breached.
stay safe, change email pass of your associated PSN/SEN account
for privacy reasons i will not disclose keysets and how to generate the token
this went on for 3-4 months. millions of accounts are hacked because of this including vita/ps3/ps4 and associated addresses and everything really.
regards,
habib
Last edited:
