Sony PlayStation 4 is one of the most widely used gaming consoles. The other major competitor is the Xbox One by Microsoft. Being a gaming console doesn’t mean that it is free from exploitable vulnerabilities. The recent rise of cyber attacks on different platforms has pushed Sony to roll out bug bounty programs.
Introduction of the Bug Bounty Program
Like many other companies, Sony also had a private bug bounty program exclusive to a few select security researchers. It all changed in June. On June 24th, Sony announced a public bug bounty program open to all in collaboration with HackerOne.
The bounties are restricted to reports that pertain to a few domains of the PlayStation Network and in the case of the PS4 system, it is valid only for those about the current or beta version of the system software. The program doesn’t accept social engineering attacks, DDoS attacks, or issues about game software among others. While Sony hasn’t mentioned any specific reasons to bring in such a change, they mentioned that they’ve understood the valuable role that the research community plays in enhancing security. It basically translates to Sony keeping an eye out for their security in light of the increasing number of cyberattacks.
Accepted Vulnerabilities
Sony has released a list of accepted vulnerabilities that are accepted for the bug bounty program. The domains that are in scope for vulnerabilities in regard to the PlayStation Network are:
- *.playstation.net
- *.sonyentertainmentnetwork.com
- *.api.PlayStation.com
- my.playstation.com
- store.playstation.com
- social.playstation.com
- transact.playstation.com
- wallets.api.playstation.com
If you have a look at the domains mentioned in this list, all these deal with the core aspects of the PlayStation Network. External links and ads to other sites aren’t included unless they interact with the domain. Sony accepts reports on the PlayStation 4 system, operating system, and accessories when it comes to the console. The vulnerabilities include
- Cross-Site Request Forgery (CSRF)
- Cross-site Scripting (XSS)
- Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)
- Insecure Direct Object References
- Injection Vulnerabilities
- Authentication Vulnerabilities
- Server-Side Code Execution
- Privilege Escalation
- Significant Security Misconfiguration (when not caused by user)
- Directory Traversal
- Information Disclosure
- Open Redirects
- Sony Product Vulnerabilities (specific to the Sony designed/controlled components of the product)
Read More: How To Create Strong Passwords
Out-of-Scope Vulnerabilities
Sony doesn’t accept vulnerabilities in any other Playstation Network domain other than the 8 ones that are mentioned. Extra information about open-source vulnerabilities that have been made public for less than 7 days is also not accepted. Sony also doesn’t accept social engineering attacks aimed at internal employees, physical attacks, scanner reports including any automated exploitation tool. Network vulnerabilities are exploited by DDoS attacks, clickjacking, and HTTP flags among others.
Rewards
Until this point, the average bounty offered is 400$ and the total payout last disclosed was 177,500$. Sony has promised up to 50,000$ for severe vulnerabilities dealing with the PS4 and 3000$ for those to do with the PlayStation Network. The highest disclosed bounty so far is for 10,000$ was one to do with the exploitation of the Webkit browser engine. The vulnerability had a severity score of 7-8.9.
Read More: All About Bug Bounty Hunting
Webkit Browser Engine Exploitation
The vulnerability was disclosed on July 6 by a popular developer Nguyen. He announced it on his Twitter handle @thefow0. The Webkit engine had an earlier vulnerability found on PS4 firmware version 6.20. The exploit is done by establishing an arbitrary read/write and an arbitrary object address leak in wkexploit.js. The attack is progressed by setting up a framework to run ROP chains in index.html.
This generates two hyperlinks by default to test ROP chains. This was fixed in 6.50 firmware. As per the information on Nguyen’s Twitter account, he announced that the new vulnerability exists on systems running firmware 7.02 or earlier. According to him, the kernel exploit works in tandem with a Webkit exploit which preexists on firmware 6.72 or older.
He also discovered a vulnerability in the firmware version 6.02 a few months ago. He says that this was caused by missing locks in the IPV6_2292PKTOPTIONS option of set sockopt, which allows the attackers to race and free the struct ip6_pktopts buffer, while it is being handled by ip6_setptopt. Being one of the top paid vulnerability disclosure programs open for all, this is a good arena for people with enough exposure. It is also a good way for beginners to earn some credibility, provided that they can find bugs.
Similarly, the Play Station 5 is launched, this year is also expected to follow suit by rolling out a similar program immediately after the launch. This translates into continuous opportunities for those familiar and well-knowledged in the inner workings of the console and their gaming network.
Interested to learn more about the various bug bounty programs and their top contributors? Follow our blog to keep yourself updated with the latest trends in cybersecurity.