Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researcher Awarded $15,000 for Code Execution Flaw in PlayStation Now App

A critical vulnerability addressed earlier this year in the PlayStation Now application for Windows could have been exploited by malicious websites to execute arbitrary code.

A critical vulnerability addressed earlier this year in the PlayStation Now application for Windows could have been exploited by malicious websites to execute arbitrary code.

The PlayStation Now application allows users to access an on-demand game collection directly from their Windows PCs. To enjoy the games, users also need a PlayStation Network account and a compatible controller.

As part of Sony’s bug bounty program on HackerOne, a security researcher that goes by the handle of “parsiya” reported a critical flaw in the PlayStation Now application that could have been abused by any website to execute code on vulnerable systems.

The report for this issue was submitted on May 13, more than one month before Sony launched a public PlayStation bug bounty program on HackerOne.

What the researcher discovered was that, because of a vulnerable websocket connection to the application, websites opened in any browser on the machine could send requests to the application, and have it load malicious URLs that could then execute code on the system.

The issue, parsiya explained, was that the application created a local websocket server that failed to check the origin of incoming requests, which made it possible for websites loaded in the browser to send requests to PlayStation Now.

Advertisement. Scroll to continue reading.

Furthermore, the Electron application AGL that PlayStation Now launches could have been instructed to load specific websites, using commands sent to the websocket server. AGL can also be used to run a local application.

The security researcher also discovered that the AGL Electron application allowed for the JavaScript on loaded web pages to spawn new processes, essentially enabling code execution.

Parsiya, who provided full technical details on this vulnerability in his HackerOne report, noted that the issue could be resolved by ensuring that the local websocket server always validates the origin of incoming requests against a set list.

The flaw was assigned a severity score of 9.6 (critical). Sony awarded the researcher a $15,000 bounty for his report and addressed the issue within weeks. However, the vulnerability was disclosed publicly only now.

Related: Sony Launches PlayStation Bug Bounty Program on HackerOne

Related: WebKit Vulnerabilities Allow Remote Code Execution via Malicious Websites

Related: Remote Code Execution Vulnerability Patched in Drupal

Related: Security-Driven Networking Will Drive the Future of Digital Innovation

Related: CERT/CC Seeks to Remove Fear Element From Named Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

N-able has appointed Russell Rosa as Chief Revenue Officer.

Stacy O'Mara has joined Armadin as Chief Policy Officer and Director of Global Government Affairs.

F5 has appointed Cathy Peterman as Chief People Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.