The personal data of Sony PlayStation Network users could be once again at risk due to a bug that allows blind SQL injection on its website, as a penetration tester claims.
20 Aria Akhavan, of Austria, reports that it has detected a vulnerability that could allow an attacker to obtain information from the site's database using SQL queries.
Vulnerability is difficult to exploit, but it is not impossible.
A SQL injection blind is more difficult to pay if we compare it with a regular SQL injection because the data does not appear on the site directly. The page returns a general error message and the attacker should start asking true or false queries with SQL queries to retrieve the database information.
Although this type of attack requires more time to take place, it can be accelerated by using automated tools when the target and vulnerability are highlighted.
The security researcher, he said in an interview with Effect Hacking that he has contacted sony about this theme since mid-October, but has yet to receive a response. Meanwhile the vulnerability continues to exist.
Akhavan said he was studying technical penetration tests for about five years and refused to share the results of tests he conducted on the Sony site.
Recall that Sony has a history of data breach incidents. Not long ago the company was a firm target of one teams which is known as Lizard Squad. The group was carrying out DDoS attacks, cutting off access to the online network.
DDoS attacks are not designed to steal data, although they can be used to distract from a different attack that has this purpose and is done "from behind".
A previous attack on the PlayStation Network led to the leaking of personal and financial information from at least 77 millions customers of the company.