Major security issue (url spoofing) found on the Vita browser

by ps3iso on February 13, 2013

Security researcher David Vieira-Kurz of website MajorSecurity.com recently reported a critical security issue on the PS Vita web browser. 2.05 is impacted as well, so technically all Vita owners are currently at risk with this issue.

The issue is a possibility to spoof the url displayed in the url bar through very simple javascript operations. This would allow a malicious website to let you believe you are accessing your bank’s website for example, or the PSN, and trick you into entering your credit card number, or some password that would immediately get stolen. More precisely, while the user sees something such as “playstation.com/psn” in their url bar, the real website serving the content can be anything such as “mymaliciouswebsite.ru/stealyourpassword”.

The vulnerability is extremely easy to put in place with a few lines of javascript, and a proof of concept page can be found on MajorSecurity’s website here. We tested and confirmed the issue is still here on 2.05. The security company contacted Sony several times back in January, but a patch has yet to be deployed.

Am I the only one concerned that Sony seems to be eager to fix our harmless homebrew exploits faster than actual security issues which would allow third parties to steal your personal information? I’m sure I’ll have fanboys go against me for that, but at the end of the day, how much credibility can we give to a service company that puts its own interests before that of its clients’ security?

If you’re running on 2.05 or less (which we currently all are), you are definitely at risk, so it is recommended that you don’t go to those fishy websites you use to enjoy on your vita… until Sony fixes the issue.

Oh, and as I’m sure some of you will ask… no, I don’t think anything here can be leveraged to turn this into a “useful” exploit for the scene :)

Source MajorSecurity (thanks to The people who mentioned it to me a looong time ago… I was away and didn’t have much time to confirm)

Tweet this!Tweet this!


Previous post:

Next post: