1 min read

PlayStation Now Fixes Vulnerability That Allowed Attackers to Run RCE on Windows PCs

Alina BÎZGĂ

December 08, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
PlayStation Now Fixes Vulnerability That Allowed Attackers to Run RCE on Windows PCs

A critical flaw in the PlayStation Now cloud application could have let attackers inject malicious code on Windows-operating devices.

The vulnerability was reported on May 13 by bug hunter Parsia Hakimian, and fixed on June 25 by the online gaming giant.

The bug, residing in an insecure AGL application, affected PlayStation Now versions 11.0.2 and earlier on machines running Windows 7 SP1 and later.

“The PlayStation Now application version 11.0.2 is vulnerable to remote code execution (RCE),” Hakimian said. “Any website loaded in any browser on the same machine can run arbitrary code on the machine through a vulnerable websocket connection.”

In his description of an attack, Hakimian said a threat actor could send a malicious script to users through online forums or Discord. By accessing the link on their computer, malicious scripts on the website connect to the local WebSocket server [ws://localhost:1235] and ask AGL (Electron application) to load and run malicious Node code on the target”s device.

“Any JavaScript loaded by AGL will be able to spawn processes on the machine. This can lead to arbitrary code execution,” the bug hunter added. “The AGL application performs no checks on what URLs it loads.”

The findings landed the researcher a whopping $15,000 bounty awarded by PlayStation”s HackerOne bug bounty program.

The fix couldn”t have come at a better time for the gaming community since the cloud-gaming service has gained more than 2.2 million subscribers by April 2020.

tags


Author



Right now

Top posts

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Israeli Authorities Seized Severs of Breached Company for Not Cooperating Israeli Authorities Seized Severs of Breached Company for Not Cooperating
Silviu STAHIE

July 04, 2022

1 min read
FTC warns LGBTQ+ community of extortion scams targeting them on dating apps FTC warns LGBTQ+ community of extortion scams targeting them on dating apps
Graham CLULEY

July 01, 2022

2 min read
OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you? OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you?
Radu CRAHMALIUC

June 30, 2022

3 min read