fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

PlayStation Now Bugs Let Sites Run Malicious Code On Windows PCs

PlayStation Now Bugs Let Sites Run Malicious Code On Windows PCs

Security bugs found in the PlayStation Now (PS Now) cloud gaming Windows application allowed attackers to execute arbitrary code on Windows devices running vulnerable app versions.

PlayStation Now reached more than 2.2 million subscribers [PDF] at the end of April 2020 since the service’s launch in 2014.

The vulnerabilities discovered by bug bounty hunter Parsia Hakimian affected PS Now version 11.0.2 and earlier on computers running Windows 7 SP1 or later.

Hakimian reported the PS Now bug on May 13, 2020, through PlayStation’s official bug bounty program on HackerOne. PlayStation addressed the bug and tagged the bug report as ‘Resolved’ one month later, on June 25th, 2020.

He was awarded a $15,000 bounty for his report even though his submission was not in-scope — i.e., it affected a Windows app and not one of the target assets included in the bug bounty program (the PlayStation 4 and PlayStation 5 systems, operating systems, accessories, or the PlayStation Network.)

Also Read: What Is A Governance Framework? The Importance And How It Works

Insecure Electron app exposes users to RCE attacks

Hakimian found that, when chained, the critical security issues allowed unauthenticated attackers to launch remote code execution (RCE) attacks by abusing a code injection weakness.

“Any website loaded in any browser on the same machine can run arbitrary code on the machine through a vulnerable websocket connection,” Hakimian said.

The attackers can run malicious code on a PS NOW user’s computer via a local WebSocket server started by the psnowlauncher.exe on port 1235 using the AGL Electron application it spawns after launch.

“JavaScript loaded by AGL will be able to spawn processes on the machine,” the researcher further explained. “This can lead to arbitrary code execution. The AGL application performs no checks on what URLs it loads.”

This is possible because the websocket server started on the target’s device does not perform any Origin header or request origin checks.

To successfully exploit the RCE bug, attackers have to persuade the PS NOW user whose device they want to compromise to open a specially crafted site using a malicious link provided via phishing emails, forums, Discord channels, etc.

After opening it in any web browser on their computer, malicious scripts on the website will connect to the local WebSocket server and ask AGL to load malicious Node code from another site and run it on the target’s device.

Sony bug bounty programs

Sony announced the launch of its public HackerOne PlayStation bug bounty program in June 2020, a program that pays security researchers and gamers for reporting security issues found in the PlayStation 4 and 5 systems, operating systems, accessories, and the PlayStation Network.

Qualified PlayStation bug submissions are eligible for bounty payouts ranging from $100 for a low severity PlayStation Network vulnerability up to $50,000 for a PlayStation 4 critical flaw.

This bug bounty program was already running privately with some security researchers when it was launched in June, which explains Hakimian’s submissions one month prior to the program’s launch.

The company also runs a separate Vulnerability Disclosure Program on HackerOne since October 2017 that allows bug bounty hunters to report qualifying security vulnerability in Sony products or websites not covered by the PlayStation program.

Also Read: Website Ownership Laws: Your Rights And What These Protect

PlayStation Now is not the only cloud-based game streaming service that fixed a critical security issue this year.

NVIDIA also released a security update to address a vulnerability in the GeForce Now cloud gaming Windows app that allowed attackers to execute arbitrary code or escalate privileges on systems running unpatched software.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us