A bug hunter was rewarded $15,000 for reporting a critical RCE bug in Sonyโs PS Now. He described that this bug, when exploited, can let attackers inject malicious code and run in the target usersโ systems. While he reported this bug early this year, PlayStation a month after marked it as resolved on patching it.
PlayStation Now Bug Leading to RCE Attacks
Competing against Microsoftโs Xbox Game Pass, Sony has introduced a similar cloud gaming subscription service called PlayStation Now in 2014, which has more than 2.2 million subscribers now. Since popular, it could become one of the favorite targets for hackers.
Also, Read- Sony Announces Bug Bounty Program For PlayStation 4 Worth $50,000
Thus, PlayStation has set up a bug bounty program on HackerOne earlier this year in hopes of rewarding bug hunters who privately disclose critical bugs in their network and gadgets. This led a bug hunter named Parsia Hakimian to submit an RCE bug in PlayStation Now (PS Now) on May 13th, which was resolved by PlayStation a month later.
My $15K PlayStation bug has finally been disclosed. My one and only tip is to read every single @taviso bug. This is essentially two of his public bugs chained together. https://t.co/0tQyJmn3q9
— Parsia Hakimian (@CryptoGangsta) December 4, 2020
He described the bug affects PS Now versions 11.0.2 and earlier on computers running Windows 7 SP1 or later. He noted the bug is an insecure Electron app, which, if exploited, exposes users to RCE attacks.
He described that โAny website loaded in any browser on the same machine can run arbitrary code on the machine through a vulnerable WebSocket connection.โ
Thus, an attacker can send a malicious script to users through any channel and lure them into clicking it. After opening it, it connects to the WebSockets of usersโ devices. He explained that the JavaScript loaded by AGL will be able to spawn processes on the machine.
Thus, it can โlead to arbitrary code executionโ since the โAGL application performs no checks on what URLs it loads.โ The flaw of the AGL WebSocket not checking the origin header or request origins of a file is the catch. PlayStation awarded him with a $15,000 bounty for reporting this.
Also, Read- Sonyโs Electric Vehicle Vision S Surprised Everyone More Than PS5