PSN automatically "roots" your Facebook, no permission granted.

283 pointsloucal14y ago33 comments

I have been meaning to link up my modern warfare 3 account with facebook (new feature) so I could see which of my facebook friends play. Today I finally did it and paid very close attention to the permission I was granting to the game. Call of duty asks for permission to access all your basic info, view your photos, and post to your wall. A bit hefty, but I wanted to see who else was playing modern warfare 3 so I agreed. I was logged in, and when I went to my friends list i was informed it found no results so was pretty much pointless. Immediately I checked my account settings on facebook thinking I would just remove access and forget about the whole thing. I was not so shocked to find that call of duty had allowed itself more access than it asked for. I WAS however shocked that there was another app allowed in the last 24 hours called 'Playstation Network' and it had a pagelong list of access permissions all of which were completely open and I had never been asked to allow that. (I'm pretty sure it just opened up every permission setting possible on facebook) Seriously, check it out yourself if you have the game on ps3. I would take a screenshot but I was so disturbed the first reaction was to of course revoke all access. Obviously any information they could access would have been crawled and indexed in sony's servers in those few minutes, but it was all I could do of course. Has anyone else been disturbed by this? It is particularly ironic that sony not so long ago lost all psn users' personal and financial data to crackers, and now they want to underhandedly grab more of it from our facebook accounts. Please help me bring some attention to this.

283 pointsloucal14y ago33 comments

33 comments

26 comments · 11 top-level

hendrix14y ago· 6 in thread

This is the same company (albeit a different division?) that decided it was OK to install rootkits on users computers. http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...

daeken14y ago

It should really be pointed out that it wasn't the same company. Sony BMG was never a part of Sony, it was simply partially owned by Sony. It's like blaming Apple for something that Pixar did because Jobs owned a substantial portion of both. Doesn't make the act itself any better, but we should stick to the facts.

cek14y ago

Except that mere-mortals, like myself, had no idea that "Sony" was not "Sony".

If Sony reaps brand benefits from naming a "partially owned company" "Sony xxx", then Sony should also suffer when one part of the whole does something damaging to the brand.

Can't have it both ways.

2 more replies

michaelhoffman14y ago

Well, no, it's not like that. It was a private venture 50 percent owned by Sony itself, not merely a public venture with a shared big stockholder. Sony had substantial control over the company, which was made substantially of labels spun off from Sony, and which are now fully owned and controlled by Sony. Sony is the successor in interest, getting all of these labels' assets, including their goodwill or lack thereof.

Mainly, though, this corporation, which began with Sony and ended with Sony, fit very well with the Sony culture of abusing consumer trust for additional profit.

squadron14y ago

Not part of Sony but partially owned by Sony? That's doublespeak. It's either one or the other. Stop obfuscating the issue.

1 more reply

airloom14y ago

Never let anyone forget about this. I still feel angry today when I think about it and I didn't even buy one of the CDs.

dspillett14y ago

I've not knowingly let anything with "Sony" written on it directly touch machines on my home network since. People think I'm weird...

I do remember seeing an apology and promise from Sony about the incident in the form of a press release. Though my reading of it was "we are sorry they got caught and embarrassed us" and "we promise not to do exactly the same thing in the near future" (which left them open to doing something just as bad right away and open to doing the same thing now, years later, without breaking their word).

brian_cloutier14y ago· 4 in thread

I'm being pedantic, but "roots your Facebook" is a massive misuse of the word root.

I doubt Sony has the ability to do anything it wants with your account (It can't change your password, it can't revoke permissions of another app) so they haven't gained "root access" to your account.

I also doubt that Sony is hacking or getting this access through illicit means. Sony doesn't "root" your account through some sort of exploit, Facebook has most likely given them that access. (As a few others have mentioned)

You're right that this is disturbing. Poking holes into the security model in other to make the user experience more convenient is something companies do depressingly often. Here's an example that surprised me recently, if you activate your android phone by signing into a google account it ignores two-factor authentication and only asks for your password.

[edit, removed a patronizing paragraph]

loucalOP14y ago

:) I didn't think it would make it this long without someone calling me out on that but you are 100% correct, rooting is not the right term for what happened since they did not actually control the account. Some might argue however, that since they took the liberty to allow everything possible that for all intents and purposes (except of course changing my password which would do them no good anyway) they had administrative access to my account.

Also, just to clear up what happened, I was asked to allow separate permissions for modern warfare 3 (much less lenient ones) and when i did that, psn also hopped on board and opened up everything (which I clearly did not authorize). I don't think that facebook has anything to do with this except for the fact that it is possible. I would hope that this sort of use of their service makes them unhappy.

I would take personally any app that asked me to allow certain rights and then piggybacked on every single possible right without notification. Some people don't care, I think it is an issue to bring to everyones attention. I'm glad you got amusement, hopefully some others got more.

bpd106914y ago

I'm not in the mood to rant on about Facebook, but I must say Facebook allows this to happen. If it didn't it wouldn't.

Facebook gives users the illusion of control and will only extend that illusion when someone makes a loud fuss (or a lawsuit).

When Zuckerberg states that Facebook has a hacking culture, I think he meant social engineering.

jrockway14y ago

Here's an example that surprised me recently, if you activate your android phone by signing into a google account it ignores two-factor authentication and only asks for your password.

Are you sure about this? Perhaps you have the "Remember this computer for 30 days" cookie around?

brian_cloutier14y ago

I saw your other comment that mentions your phone obeys 2Factor. Are you by any chance not running Ice Cream Sandwich? After I completely wipe my Galaxy Nexus it still doesn't ask for 2Factor. It doesn't even require an application specific password, it accepts my real password with no hesitation.

1 more reply

TazeTSchnitzel14y ago· 3 in thread

Yeah, Facebook has a special authentication mode for devices where browser OAuth isn't an option.

My Samsung feature phone also gets full permissions when it logs in.

jrockway14y ago

What devices don't have a browser? When I first get an Android device and need to add my Google account, the browser opens to handle the login flow (which requires my 2Factor key), and then the phone is authorized. Alternatively, I can create an application-specific password and use that.

I don't understand why Facebook can't do one of these two things.

objclxt14y ago

There are several applications where devices either don't have a browser or the browser / input method is unsuitable. I have actually worked on several projects that use non-standard authentication (with FB's permission), and although I can't go into too much detail about exactly what the hardware applications were, they are real and do exist.

1 more reply

alanh14y ago

Yes, “Not an option”? When is it not an option?

mikeknoop14y ago· 1 in thread

As TazeTSchnitzel alludes to, HTC and their Sense interface use a similar "special manufacturer" authentication permission to accomplish this.

EDIT: To clarify, Facebook has made a special deal with HTC (or Sony in the case of this post) to allow these non-standard browser oAuth flows.

Eduard14y ago

Has anyone tried to sniff on the authentication protocol going on here? I'd like to know if every oauth consumer can use these hidden permissions.

rapala14y ago· 1 in thread

Have you contacted Sony or Facebook? It would be interesting to know their answer.

loucalOP14y ago

I have not. Last time I complained to sony they sent out an update to all playstations and when I downloaded it my ps3 clicked off and i got the 'yellow light of death'... done, over, forever. This new ps3 was a gift from my girlfriend so I wouldn't want to give sony any reason to fry her $300 purchase like they did with mine.

I know this is a conspiracy theory. The sony fanboys ripped me apart when I complained on twitter about it. 'Obviously' it was just coincidence. I'm thinking at the very least it has to do with that legit version of yellow dog linux i had on it at one point which they forced me to remove with a more recent update if i wanted to keep my psn access. I have a feeling i would have been better off just giving them the boot then and there.. ohh well, SMH

EDIT: just so everyone knows the details it was after the big crack of psn, it was down for months and every day i turned on my ps3, checked if i could get on and turn it off. I complained on twitter at some point and when the network finally came back up I installed the update. It completed 'successfully' and asked me to allow it to restart my ps3, I said yes, it turned off, yellow light comes on and the tears begin to fall.

Foy14y ago

> It is particularly ironic that sony not so long ago lost all psn users' personal and financial data to crackers, and now they want to underhandedly grab more of it from our facebook accounts.

QFT. You would think that they'd show a little more sensitivity around privacy issues after their recent security fiasco, instead of looking for more ways to steal information that they might very well end up losing.

sixbrx14y ago

Holy crap, that's way beyond what I would have expected. Thanks for reporting this.

gnu814y ago

What do you think Sony pays for that?

direllama14y ago

So facebook does nothing to restrict apps to the permissions they request? what's the point then?

shingen14y ago

Comeon, who doesn't trust Sony?

ricardobeat14y ago

Two years ago we were all handling our social network username + passwords to every service out there. You just did that with your Playstation, what's new? Just don't share things with services you don't trust. OAuth doesn't work in this setting.

1 more reply

j / k navigate · click thread line to collapse

33 comments

26 comments · 11 top-level

hendrix14y ago· 6 in thread

This is the same company (albeit a different division?) that decided it was OK to install rootkits on users computers. http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...

daeken14y ago

cek14y ago

Except that mere-mortals, like myself, had no idea that "Sony" was not "Sony".

If Sony reaps brand benefits from naming a "partially owned company" "Sony xxx", then Sony should also suffer when one part of the whole does something damaging to the brand.

Can't have it both ways.

2 more replies

michaelhoffman14y ago

Mainly, though, this corporation, which began with Sony and ended with Sony, fit very well with the Sony culture of abusing consumer trust for additional profit.

squadron14y ago

Not part of Sony but partially owned by Sony? That's doublespeak. It's either one or the other. Stop obfuscating the issue.

1 more reply

airloom14y ago

Never let anyone forget about this. I still feel angry today when I think about it and I didn't even buy one of the CDs.

dspillett14y ago

I've not knowingly let anything with "Sony" written on it directly touch machines on my home network since. People think I'm weird...

brian_cloutier14y ago· 4 in thread

I'm being pedantic, but "roots your Facebook" is a massive misuse of the word root.

[edit, removed a patronizing paragraph]

loucalOP14y ago

bpd106914y ago

I'm not in the mood to rant on about Facebook, but I must say Facebook allows this to happen. If it didn't it wouldn't.

Facebook gives users the illusion of control and will only extend that illusion when someone makes a loud fuss (or a lawsuit).

When Zuckerberg states that Facebook has a hacking culture, I think he meant social engineering.

jrockway14y ago

Here's an example that surprised me recently, if you activate your android phone by signing into a google account it ignores two-factor authentication and only asks for your password.

Are you sure about this? Perhaps you have the "Remember this computer for 30 days" cookie around?

brian_cloutier14y ago

1 more reply

TazeTSchnitzel14y ago· 3 in thread

Yeah, Facebook has a special authentication mode for devices where browser OAuth isn't an option.

My Samsung feature phone also gets full permissions when it logs in.

jrockway14y ago

I don't understand why Facebook can't do one of these two things.

objclxt14y ago

1 more reply

alanh14y ago

Yes, “Not an option”? When is it not an option?

mikeknoop14y ago· 1 in thread

As TazeTSchnitzel alludes to, HTC and their Sense interface use a similar "special manufacturer" authentication permission to accomplish this.

EDIT: To clarify, Facebook has made a special deal with HTC (or Sony in the case of this post) to allow these non-standard browser oAuth flows.

Eduard14y ago

Has anyone tried to sniff on the authentication protocol going on here? I'd like to know if every oauth consumer can use these hidden permissions.

rapala14y ago· 1 in thread

Have you contacted Sony or Facebook? It would be interesting to know their answer.

loucalOP14y ago

Foy14y ago

> It is particularly ironic that sony not so long ago lost all psn users' personal and financial data to crackers, and now they want to underhandedly grab more of it from our facebook accounts.

sixbrx14y ago

Holy crap, that's way beyond what I would have expected. Thanks for reporting this.

gnu814y ago

What do you think Sony pays for that?

direllama14y ago

So facebook does nothing to restrict apps to the permissions they request? what's the point then?

shingen14y ago

Comeon, who doesn't trust Sony?

ricardobeat14y ago

1 more reply

j / k navigate · click thread line to collapse