A critical vulnerability addressed earlier this year in the PlayStation Now application for Windows could have been exploited by malicious websites to execute arbitrary code.
The PlayStation Now application allows users to access an on-demand game collection directly from their Windows PCs. To enjoy the games, users also need a PlayStation Network account and a compatible controller.
As part of Sony’s bug bounty program on HackerOne, a security researcher that goes by the handle of “parsiya” reported a critical flaw in the PlayStation Now application that could have been abused by any website to execute code on vulnerable systems.
The report for this issue was submitted on May 13, more than one month before Sony launched a public PlayStation bug bounty program on HackerOne.
What the researcher discovered was that, because of a vulnerable websocket connection to the application, websites opened in any browser on the machine could send requests to the application, and have it load malicious URLs that could then execute code on the system.
The issue, parsiya explained, was that the application created a local websocket server that failed to check the origin of incoming requests, which made it possible for websites loaded in the browser to send requests to PlayStation Now.
Furthermore, the Electron application AGL that PlayStation Now launches could have been instructed to load specific websites, using commands sent to the websocket server. AGL can also be used to run a local application.
The security researcher also discovered that the AGL Electron application allowed for the JavaScript on loaded web pages to spawn new processes, essentially enabling code execution.
Parsiya, who provided full technical details on this vulnerability in his HackerOne report, noted that the issue could be resolved by ensuring that the local websocket server always validates the origin of incoming requests against a set list.
The flaw was assigned a severity score of 9.6 (critical). Sony awarded the researcher a $15,000 bounty for his report and addressed the issue within weeks. However, the vulnerability was disclosed publicly only now.
Related: Sony Launches PlayStation Bug Bounty Program on HackerOne
Related: WebKit Vulnerabilities Allow Remote Code Execution via Malicious Websites
Related: Remote Code Execution Vulnerability Patched in Drupal