Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
PSN automatically "roots" your Facebook, no permission granted.
283 points by loucal on March 11, 2012 | hide | past | favorite | 33 comments
I have been meaning to link up my modern warfare 3 account with facebook (new feature) so I could see which of my facebook friends play. Today I finally did it and paid very close attention to the permission I was granting to the game. Call of duty asks for permission to access all your basic info, view your photos, and post to your wall. A bit hefty, but I wanted to see who else was playing modern warfare 3 so I agreed. I was logged in, and when I went to my friends list i was informed it found no results so was pretty much pointless. Immediately I checked my account settings on facebook thinking I would just remove access and forget about the whole thing. I was not so shocked to find that call of duty had allowed itself more access than it asked for. I WAS however shocked that there was another app allowed in the last 24 hours called 'Playstation Network' and it had a pagelong list of access permissions all of which were completely open and I had never been asked to allow that. (I'm pretty sure it just opened up every permission setting possible on facebook) Seriously, check it out yourself if you have the game on ps3. I would take a screenshot but I was so disturbed the first reaction was to of course revoke all access. Obviously any information they could access would have been crawled and indexed in sony's servers in those few minutes, but it was all I could do of course. Has anyone else been disturbed by this? It is particularly ironic that sony not so long ago lost all psn users' personal and financial data to crackers, and now they want to underhandedly grab more of it from our facebook accounts. Please help me bring some attention to this.


I'm being pedantic, but "roots your Facebook" is a massive misuse of the word root.

I doubt Sony has the ability to do anything it wants with your account (It can't change your password, it can't revoke permissions of another app) so they haven't gained "root access" to your account.

I also doubt that Sony is hacking or getting this access through illicit means. Sony doesn't "root" your account through some sort of exploit, Facebook has most likely given them that access. (As a few others have mentioned)

You're right that this is disturbing. Poking holes into the security model in other to make the user experience more convenient is something companies do depressingly often. Here's an example that surprised me recently, if you activate your android phone by signing into a google account it ignores two-factor authentication and only asks for your password.

[edit, removed a patronizing paragraph]


:) I didn't think it would make it this long without someone calling me out on that but you are 100% correct, rooting is not the right term for what happened since they did not actually control the account. Some might argue however, that since they took the liberty to allow everything possible that for all intents and purposes (except of course changing my password which would do them no good anyway) they had administrative access to my account.

Also, just to clear up what happened, I was asked to allow separate permissions for modern warfare 3 (much less lenient ones) and when i did that, psn also hopped on board and opened up everything (which I clearly did not authorize). I don't think that facebook has anything to do with this except for the fact that it is possible. I would hope that this sort of use of their service makes them unhappy.

I would take personally any app that asked me to allow certain rights and then piggybacked on every single possible right without notification. Some people don't care, I think it is an issue to bring to everyones attention. I'm glad you got amusement, hopefully some others got more.


I'm not in the mood to rant on about Facebook, but I must say Facebook allows this to happen. If it didn't it wouldn't.

Facebook gives users the illusion of control and will only extend that illusion when someone makes a loud fuss (or a lawsuit).

When Zuckerberg states that Facebook has a hacking culture, I think he meant social engineering.


Here's an example that surprised me recently, if you activate your android phone by signing into a google account it ignores two-factor authentication and only asks for your password.

Are you sure about this? Perhaps you have the "Remember this computer for 30 days" cookie around?


I saw your other comment that mentions your phone obeys 2Factor. Are you by any chance not running Ice Cream Sandwich? After I completely wipe my Galaxy Nexus it still doesn't ask for 2Factor. It doesn't even require an application specific password, it accepts my real password with no hesitation.


You've probably accidentally disabled the two-factor auth on your account. I strongly recommend checking.

My phone always asks for two-factor auth. In fact, I had to wipe my phone and re-auth, so I used one of the throw-away codes. When I re-init'd Google Auth app (which annoyingly requires disabling and reenabling two-factor auth, AND invalidates one time use keys), it immediately reprompted me to complete an oAuth cycle with the two-factor code for the core Google account on my phone.

ICS/Galaxy Nexus/etc


Well this is embarrassing. I checked and somehow it was disabled. Thank you.


As TazeTSchnitzel alludes to, HTC and their Sense interface use a similar "special manufacturer" authentication permission to accomplish this.

EDIT: To clarify, Facebook has made a special deal with HTC (or Sony in the case of this post) to allow these non-standard browser oAuth flows.


Has anyone tried to sniff on the authentication protocol going on here? I'd like to know if every oauth consumer can use these hidden permissions.


Yeah, Facebook has a special authentication mode for devices where browser OAuth isn't an option.

My Samsung feature phone also gets full permissions when it logs in.


What devices don't have a browser? When I first get an Android device and need to add my Google account, the browser opens to handle the login flow (which requires my 2Factor key), and then the phone is authorized. Alternatively, I can create an application-specific password and use that.

I don't understand why Facebook can't do one of these two things.


There are several applications where devices either don't have a browser or the browser / input method is unsuitable. I have actually worked on several projects that use non-standard authentication (with FB's permission), and although I can't go into too much detail about exactly what the hardware applications were, they are real and do exist.


Sure, but you can use a Real Computer to authorize the app and feed the Special Device an app-specific password.

Yeah, that's not convenient, but you didn't get a computer without a working browser for convenience in using Facebook...


Yes, “Not an option”? When is it not an option?


> It is particularly ironic that sony not so long ago lost all psn users' personal and financial data to crackers, and now they want to underhandedly grab more of it from our facebook accounts.

QFT. You would think that they'd show a little more sensitivity around privacy issues after their recent security fiasco, instead of looking for more ways to steal information that they might very well end up losing.


Holy crap, that's way beyond what I would have expected. Thanks for reporting this.


What do you think Sony pays for that?


So facebook does nothing to restrict apps to the permissions they request? what's the point then?


Have you contacted Sony or Facebook? It would be interesting to know their answer.


I have not. Last time I complained to sony they sent out an update to all playstations and when I downloaded it my ps3 clicked off and i got the 'yellow light of death'... done, over, forever. This new ps3 was a gift from my girlfriend so I wouldn't want to give sony any reason to fry her $300 purchase like they did with mine.

I know this is a conspiracy theory. The sony fanboys ripped me apart when I complained on twitter about it. 'Obviously' it was just coincidence. I'm thinking at the very least it has to do with that legit version of yellow dog linux i had on it at one point which they forced me to remove with a more recent update if i wanted to keep my psn access. I have a feeling i would have been better off just giving them the boot then and there.. ohh well, SMH

EDIT: just so everyone knows the details it was after the big crack of psn, it was down for months and every day i turned on my ps3, checked if i could get on and turn it off. I complained on twitter at some point and when the network finally came back up I installed the update. It completed 'successfully' and asked me to allow it to restart my ps3, I said yes, it turned off, yellow light comes on and the tears begin to fall.


This is the same company (albeit a different division?) that decided it was OK to install rootkits on users computers. http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...


It should really be pointed out that it wasn't the same company. Sony BMG was never a part of Sony, it was simply partially owned by Sony. It's like blaming Apple for something that Pixar did because Jobs owned a substantial portion of both. Doesn't make the act itself any better, but we should stick to the facts.


Except that mere-mortals, like myself, had no idea that "Sony" was not "Sony".

If Sony reaps brand benefits from naming a "partially owned company" "Sony xxx", then Sony should also suffer when one part of the whole does something damaging to the brand.

Can't have it both ways.


Exactly. Just a few weeks ago I read an article linked through HN about some 3rd party site branded as some Microsoft store, developed in India that stored passwords/credit card/some sensitive information in clear text... didn't take people long to start beating Microsoft with that stick.

Your clued up person may know the difference, but the average person is not that clued up.


I worked at Sony Music during the time of the rootkit fiasco and I was a bit surprised by the reaction of the internet. There were many organized boycotts of Sony Corporate, Sony Playstation, etc… while nobody tried to boycott any Bertelsmann products (and there are plenty). The irony is that the individual in charge of that division of Sony BMG came over in the merger from Bertelsmann.

While Sony certainly stood to reap the brand benefits, they also reaped almost all of the negative publicity.


> While Sony certainly stood to reap the brand benefits, they also reaped almost all of the negative publicity.

That sounds like someone failed in their due diligence role, rather than any reason I should pity Sony.


Well, no, it's not like that. It was a private venture 50 percent owned by Sony itself, not merely a public venture with a shared big stockholder. Sony had substantial control over the company, which was made substantially of labels spun off from Sony, and which are now fully owned and controlled by Sony. Sony is the successor in interest, getting all of these labels' assets, including their goodwill or lack thereof.

Mainly, though, this corporation, which began with Sony and ended with Sony, fit very well with the Sony culture of abusing consumer trust for additional profit.


Not part of Sony but partially owned by Sony? That's doublespeak. It's either one or the other. Stop obfuscating the issue.


Every corporation is a separate legal entity, but since nobody has defined whether "Sony" means "Sony Corporation" or "Sony Group" (which is headed by Sony Corporation) then that's kind of a moot point.


Never let anyone forget about this. I still feel angry today when I think about it and I didn't even buy one of the CDs.


I've not knowingly let anything with "Sony" written on it directly touch machines on my home network since. People think I'm weird...

I do remember seeing an apology and promise from Sony about the incident in the form of a press release. Though my reading of it was "we are sorry they got caught and embarrassed us" and "we promise not to do exactly the same thing in the near future" (which left them open to doing something just as bad right away and open to doing the same thing now, years later, without breaking their word).


Comeon, who doesn't trust Sony?


Two years ago we were all handling our social network username + passwords to every service out there. You just did that with your Playstation, what's new? Just don't share things with services you don't trust. OAuth doesn't work in this setting.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: