Sony has fixed a number of security bugs discovered in the PlayStation Now cloud gaming platform that could have allowed hackers to launch attacks on Windows devices. According to security researcher Parsia Hakimian, these bugs have opened the door for remote code execution (RCE) when they are chained, which means that the attacker can execute any code on the targeted machine. The vulnerabilities were first reported through the PlayStation bug bounty program at HackerOne in May and the entry was marked as resolved a month later. Hakimian received €15,000 for the disclosure, reflecting the high severity of the vulnerabilities.
PlayStation Now security bugs
PlayStation Now (or PS Now for short) is a subscription service that gives PC gamers access to over 700 games, including popular titles released exclusively on PlayStation. The service has garnered more than two million subscribers since its launch in 2014. As noted in the HackerOne post, the security bugs in question affected PlayStation Now version 11.0.2 and earlier, installed on computers running Windows 7 SP1 or more recent. The security breach is the product of three separate issues that, when combined, allow websites loaded in any browser on the vulnerable machine to execute code over a "vulnerable websocket connection." To carry out the attack, the hackers would have had to trick PS Now users into opening a malicious link, possibly distributed via a phishing email. The scripts on the compromised website would then connect to the local WebSocket server and load the malicious code from another site, before executing it on the machine. It is unknown to what extent the issues were exploited while they were active (if at all), but the vulnerabilities in question have long been addressed, meaning no further action is required on the side. of PS Now subscribers. Through a computer on hold