Personal data of Sony users Playstation Network could once again be at risk due to a bug that allows blind sQL injection on its website, as a penetration tester claims.
20-year-old Aria Akhavan from Austria reports that he discovered one vulnerability which could allow an attacker to obtain information from base website data, using SQL queries.
Vulnerability is difficult to exploit, but it is not impossible.
A SQL injection blind is more difficult to pay if we compare it with a regular SQL injection because the data does not appear on the site directly. The page returns a general error message and the attacker should start asking true or false queries with SQL queries to retrieve the database information.
Although this type of attack requires more time to take place, it can be accelerated by using automated tools when the target and vulnerability are highlighted.
The security researcher, he said in an interview with Effect Hacking that she has been in contact with Sony for this issue since mid-October, but has not yet received a response. Meanwhile, vulnerability continues to exist.
Akhavan said he was studying technical penetration tests for about five years and refused to share the results of tests he conducted on the Sony site.
Recall that Sony has a history of data breach incidents. Not long ago the company was a constant target of a group known as the Lizard Squad. The group was carrying out DDoS attacks, cutting it off access on the electronic network.
DDoS attacks are not designed to steal data, although they can be used to distract from a different attack that has this purpose and is done "from behind".
An earlier attack on the PlayStation Network led to personal and financial data leakage from at least 77 millions of company customers.