Playstation Now, Sony’s cloud gaming service, is home to several critical security vulnerabilities. They allow attackers to execute arbitrary code on users’ PCs. These vulnerabilities affect version 11.0.2 of PS Now, as well as all previous versions running Windows 7 SP1 or newer.
While Playstation Now subscribers can get their hands on Horizon Zero Dawn in December 2020, Sony has just confirmed a disturbing find. Finally, the cloud gaming service housed several critical security vulnerabilities. If they were to be exploited, an attacker would be able to execute arbitrary code on users’ Windows PCs.
These vulnerabilities were discovered by computer security researcher Parsia Hakimian, a bug hunter in his spare time. Its flaws concern version 11.0.2 of Playstation Now, as well as all previous versions of the service running Windows 7 SP1 or newer.
Parsia Hakimian spotted these flaws on May 13, 2020, through Sony’s bug hunting program and hosted by HackerOne, a vulnerability coordination and bug-fixing platform that connects businesses and cybersecurity researchers. On June 25, 2020, Sony corrected these flaws and declared them as “Resolved ” in his report.
Also read: PS5 – the console is not zoned and supports PS Now
PS Now vulnerable, 2 million potential targets
As Parsia Hakimian explains, this breach was the product of three distinct faults, which when combined, allow unauthenticated hackers launching remote code execution attacks (also called RCE, for Remote Code Execution) by abusing a weakness of code injection.
“Any website loaded in a browser on the same machine can execute an arbitrary code on the machine through a vulnerable web connection ”, Parsia Hakimian details. To successfully exploit this breach, hackers must trick PS Now users into opening a malicious link, distributed either through phishing mail, forums or Discord channels for example.
The computer security researcher has also been handsomely rewarded by the manufacturer for his discovery, up to $ 15,000. Which says a lot about the seriousness of these flaws. Note that Sony’s bug hunt was not intended for Windows flaws, but rather for Playstation 4 and Playstation 5 systems or even accessories and the Playstation network. Suffice to say that Sony did not expect the discovery of such a flaw.
Source: Bleeding Computer