The personal data of Sony PlayStation Network users could be once again at risk due to a bug that allows blind SQL injection in by clicking here of, as a penetration tester claims.
20-year-old Aria Akhavan from Austria reports that he discovered one vulnerability which could allow an attacker to obtain information from the website's database using SQL queries.
Vulnerability is difficult to exploit, but it is not impossible.
A blind SQL injection is more difficult to pay off compared to a regular SQL injection, because the data they do not appear on the website immediately. The page returns a generic error message and the attacker would have to start asking true or false with SQL queries in order to retrieve the database information.
Despite the fact that this kind of attackAlthough it takes more time to perform, it can be accelerated by using automated tools once the target and vulnerability have been identified.
The security researcher, he said in an interview with Effect Hacking that she has been in contact with Sony for this issue since mid-October, but has not yet received a response. Meanwhile, vulnerability continues to exist.
Akhavan stated that he studies techniques penetration tests for about five years and refused to share the results of the tests it performed on Sony's site.
Please be reminded that Sony has a history of data breach. Some time ago the company was a fixed target of a group known as the Lizard Squad. The team carried out DDoS attacks, cutting access to the online network.
DDoS attacks are not designed to steal data, although they can be used to distract from a different attack that has this purpose and is done "from behind".
An earlier attack on the PlayStation Network led to personal and financial data leakage from at least 77 millions of company customers.