Home has been hacked - report

By Oli Welsh Published 17 December, 2008

Could be used to spread viruses.

The Telegraph is reporting that Sony's PS3 virtual world, Home, has already been hacked.

"Developers" have apparently found a "security loophole" that allows them to upload any file to, or even delete files from, the Home server. This makes it theoretically possible for hackers to spread viruses through the social software, or try to force it offline.

Other hacks are said to allow users to download files from the Home servers (such as another player's avatar), change the text and music, or use the in-game screens to watch their own video files. Apparently this is possible using the Apache web server and DNS redirection, which might mean something to some of you.

Home went into open beta, granting access to all PS3 users, last week. You can read our impressions and more at the Home personal space, sorry, gamepage.

Picture of Oli.

About Oli Welsh

Oli is Eurogamer's acting deputy editor and reviews editor and likes to take things one word at a time. He is among the best dressed people in South London.

Read more articles from Oli by visiting the Oli Welsh archive page.

You may also like...

Comments (89) Latest comment 3 years ago

Comments threads automatically close after 30 days, but please feel free to continue chatting on the forum!

  • mingster #1 3 years ago

    Large penises are appearing everywhere...
    (Even though it was full of cocks before it was hacked)

  • PearOfAnguish #2 3 years ago

    What's the problem, this can only make Home more fun.

  • LHH #3 3 years ago

    lol

  • DuTraveller #4 3 years ago

    virus doesnt seem fun...

  • Dizzy #5 3 years ago

    >What's the problem, this can only make Home more fun.

    Indeed... this is a good thing.

  • bad09 #6 3 years ago

    LOL, maybe someone could hack in some porn to replace the ads, make it a bit more fun in the square!

    Well my PS3 is safe anyway, Home is gone forever ;)

  • Vistrix #7 3 years ago

    Some guy found out you can upload any kind of file...

    The article fails to mention that the file would still have to go through some kind of Sony security configuration (most likely some heavy firewall/scanning software/hardware).

    It also tries to suggest that everyone is at risk from viruses/these files, but thats impossible. Worst thing that could happen is Home goes offline.
    Edited by 1 at 17/12/08 @ 11:24

  • lambtron #8 3 years ago

    "Best thing that could happen is Home goes offline. "

    Fixed.

  • kangarootoo #9 3 years ago

    That Telegraph article is nonsense.

  • Vistrix #10 3 years ago

    @lambtron

    People still hating on Home? Is that still cool?

  • DUFFKING #11 3 years ago

    Guess this is what betas are for then :p

  • lambtron #12 3 years ago

    Find out tonight on BBC2.

    http://www .youtube.com/watch?v=jlbC77GS0Ak
    Edited by 2 at 17/12/08 @ 11:29

  • PearOfAnguish #13 3 years ago

    Home is where the hack is.

  • X201 #14 3 years ago

    Telegraph getting worked up about a DNS redirect :)



  • Beano #15 3 years ago

    Home has NOT been hacked.

    Some clever guys have been able to use a DNS-redirect trick to use their own files in their own Home session. But no files on Sony's servers have been deleted or changed. And the changed files have only been displayed/used on the "hackers" own PS3.

    And no... this can NOT be used to spread viruses either. Eurogamer is waaay of target here. Tabloid gaming journalism!

    Read the real story here (be sure to check the links in the bottom of the article) :

    http://ww w.engadget.com/2008/12/14/plays...
    Edited by 2 at 17/12/08 @ 11:37

  • gamefan #16 3 years ago

    Home could be a stroke of genius or the biggest gaming money since ET on the Atari 2600.

  • bad09 #17 3 years ago

    "Home could be a stroke of genius or the biggest gaming money since ET on the Atari 2600. "

    LOL if it was an "ET" Sony would make a virtual new mexico landfill site for £4.99 so we could stick all the virtual designer gear in it :)

  • Pirotic #18 3 years ago

    All he does is he's setup his local apache server to serve some content, and then names some of the content the same name as it's called on the sony servers, then gets his HOSTS to redirect for the contents domain to his own local server.

    So in other words, it only impacts him, it doesn't change anything on the sony servers or has any effect on other users.

  • RedPanda #19 3 years ago

    Post deleted at 14:31:59 28-01-2012

  • Chufty #20 3 years ago

    I can't believe Eurogamer reported on this. This is completely untrue. For a start, you can't write code that will execute on a PS3, so saying you can get a virus from Home is utterly ridiculous. And to upload files using DNS redirection on your home network? Big geeky LOL.

    You'd expect this kind of story to make the newspapers but you would think EG would do a bit of research, or even apply a bit of common sense, when posting these articles.

  • Doctor_What #21 3 years ago

    "For a start, you can't write code that will execute on a PS3,"

    So true! ;)

    (And this speaking from a guy who really likes the machine.)

  • Beano #22 3 years ago

    @Chufty : I agree... but again... it's written by Oli Welsh so we should not be surprised.

  • cloud_ix #23 3 years ago

    shoddy work eurogamer....

  • Dizzy #24 3 years ago

    "For a start, you can't write code that will execute on a PS3,"

    I am sure you could force some kind of buffer overflow with custom media/files downloaded from Home (if that could be done). Anyway... that has not been done or discovered, but rarely are machines 100% bug free against buffer overflows. Also yeah, like a lot of people have said, the hack is not really that bad. More like a mod IMHO ;)
    Edited by 1 at 17/12/08 @ 11:53

  • Stormflood #25 3 years ago

    Seeing as most people including myself can't even log into Home, does it really matter?

  • udat #26 3 years ago

    There are two entirely separate issues here.

    The DNS redirect is a purely local change that only affects you, so in no way is it a "hack".

    The exploitation of scripts on the Sony Home servers that let you upload, download and delete files is a significant security vulnerability, if it works as described.

  • Beano #27 3 years ago

    "The exploitation of scripts on the Sony Home servers that let you upload, download and delete files is a significant security vulnerability, if it works as described."

    Which it doesn't.

  • Der_tolle_Emil #28 3 years ago

    Unless someone manages to change the necessary A/CNAME records on a provider's DNS this really isn't anything special. It's in no way a hack and it doesn't even affect others - at all.

  • mingster #29 3 years ago

    This hack gives you teh Aids.

  • Darren #30 3 years ago

    Ah nice... a perfect valid reason for me NOT to use Home then... not that I was impressed with it anyway from the closed beta.

  • bioreit #31 3 years ago

    "it's written by Oli Welsh so we should not be surprised."

    It's written by Beano so we should not be surprised.

  • Arwin #32 3 years ago

    It's quoting a Telegraph article so we shouldn't be surprised.

  • BobsUncle #33 3 years ago

    What completely pointless waste of some guy's time.

    Home, that is. ;-)

  • kangarootoo #34 3 years ago

    @Beano

    Good initial post. I was too annoyed at the Telegraph's poor level of investigative journalism to write anything more useful than "teh are suxor!!".

  • onyxbox #35 3 years ago

    what a load of bull... I'm guessing DNS redirect could be used on anything (including the beloved XBL)

    the Internet media IS gunning for Sony... bring back magazines... oh wait... didn't Edge just award 360 best hardware award.

    :-D

    crazy world we live in.

  • sneetch #36 3 years ago

    Are there many PS3 viruses? Maybe they got Jeff Goldblum to write one?

    @beano
    Ahh... so they replaced some of their own files? OMGH4X! OH NOES I R GOT HAXEWD!

  • bioreit #37 3 years ago

    @ Beano

    Went to the Engadget link - StreetSkaterFU's blog is "closed for maintenance", so we can't actually see what he claims to be able to do. PS3hax is blocked at work, but that Engadget story makes it clear that that second link was from a guy who used StreetSkaterFU's methods to only change his localised content

    According to the limited information available from Engadget, StreetSkaterFU claims to be able to change, upload and delete content on Home's servers. But like I said, we can't actually verify what his methods were, as his blog is down.

    So I guess I'm asking where "Some clever guys have been able to use a DNS-redirect trick to use their own files in their own Home session. But no files on Sony's servers have been deleted or changed. And the changed files have only been displayed/used on the "hackers" own PS3" came from, because the second guy? Absolutely - what you said is perfectly true. StreetSkaterFU? He's claiming that he can do those things.

  • m0thr4 #38 3 years ago

    Looks like a typical Telegraph technology FUD article to me. Maybe they should start employing writers that actually know what they're talking about. Let's examine them in detail:

    One hack uses a combination of the Apache web server and DNS re-direction to allow users of PlayStation Home to watch their own movies on display screens within the game, and change text and music to whatever they choose.

    So what? This is completely harmless.

    A second hack enables players to download any file they want from PlayStation Home's servers, such as a fellow user's profile or avatar, the cartoon-like representation of themselves they create to appear in the virtual world.

    Unless Sony were stupid enough to run the server software as root/admin, I highly doubt this is possible. But it makes no real sense, as the profile and avatars are unlikely to be 'files' anyway, more likely stored as objects in a database. Your local PS3 profile information is not stored in Home, so that's safe... which leaves your avatar? Big deal, surely you could just copy it by looking at it and replicating it for yourself manually?

    But the most worrying vulnerability found in the Home software is the security loophole that allows tech-savvy users to upload any file to the Home server, or delete any file from the Home server. It raises the spectre of malicious hackers spreading viruses and malware across the PlayStation Home platform, or even launching sustained attacks on the virtual world's servers to force it offline.

    'Tech savvy users' eh? Curse those pesky brainiacs! Again, this sounds like utter bollocks. Are users logged in to Home given root/admin access to the servers? Do they have the ability to execute files? I doubt it.

    I'm not sure where the 'journalist' who wrote this article got his 'facts' from, but I'm waiting for the version written by someone who actually knows what they're talking about.

  • Weezer #39 3 years ago

    Am I the only one who can't understand half of the comments here? What the FUCK is a 'DNS redirect-trick buffer overflow virus mod' and should I be scared of it?


  • kristo #40 3 years ago

    yay, retarded "journalism" at its best. So, this is how the ship sinks aye Eurogamer? Regurgitating tabloid articles? Not even fact checking or even using a modicum of common sense?

    Tech savvy my arse, there is no way whats described here is possible, cept the changing vids/pics for your local network/ps3. Which, by the way, big fckin deal.

    1/10

    PS: DNS redirect is where you setup your local DNS (domain name service, the thingy that converts the domains you type ([link url=http://www.pornhub.com)]http://www.pornhub.com)[/ link] into ip addresses, which is what the interwebs use) to have an entry for the domains sony use for home. Those entries you put in go to your server instead, and you put some movies/pics. For you, nothing to worry about.
    For someone to upload something onto Sonys home servers, they would need to get through (most likely) some kind of multi tiered firewall solution, work out which boxes inside are accessing the data, it could even by on some other file storage device (a NAS somewhere, serving via HTTP, who knows). This would require intimate knowledge of their network. Not likely. Even if they where 1337 haxor d00ds, they'd still need a shitload of info they wouldn't easily have (ips, passwords, account names, database sids, etc etc).

    So in summary, ignore this retarded article and rightfully question the sanity of the 'tard who posted this news article.
    Edited by 1 at 17/12/08 @ 12:50

  • miiiguel #41 3 years ago

    "DNS redirect-trick"
    GPS analogy alert!:

    It's like you're trusting your GPS to go to London and arrive in Newcastle (sorry, that may sound silly, but I don't know where the hell is Newcastle, so... it might work).

  • KreyAtiv #42 3 years ago

    Home forces itself offline anyway, that's my experience anyway, can't even get into it. Perhaps hackers can find a way to fix it quicker than Sony? :p

  • Pedrolot #43 3 years ago

    Id upload a porno and place a statue of me in the center on the square...with birds flying around it.

  • DFawkes #44 3 years ago

    With that analogy, I'm assuming this means, ahving asked for London, you get Newcastle, but you're allowed to replace any of the building you want? Where as if you went to London as expected it'll be the same London other visitors to London see?

    I'm confused now.

  • BobsUncle #45 3 years ago

    @onyxbox - "what a load of bull... I'm guessing DNS redirect could be used on anything (including the beloved XBL) "

    I believe all Xbox live traffic is encrypted.

  • rudedudejude #46 3 years ago

    SCANDAL:

    EG SLOWLY TURNING INTO THE NEWS OF THE WORLD.

    SCAREMONGER TACTICS SNIFFED OUT BY GEEKS

    FULL STORY AT 4AM, AFTER YOUR RAID.

  • miiiguel #47 3 years ago

    @DFawkes, well, we do DNS redirect here every time we want o test (TEST! /knocks on wood!/) our disaster recovery site, but for our jobs sake we don't change anything... but it would be possible. That's not an hack, it's common practice, but can be used for shady stuff, I guess... .
    Buffer overflow? That should be a typical DNoS (denial of service), and that's way, way shady..., not even cool.

  • Dave52 #48 3 years ago

    Home must be seen as some sought of threat to the opposition for this kind of BS Story to be put out there...

    Home will eventually be a very cool thing - but it has a long way to go. Still in Beta don't forget...

  • Lemming81 #49 3 years ago

    I have a PS3, but hate the very idea of Home and refuse to install it because I KNOW it's merely a poorly designed marketting tool with an art direction that would make the 90's blush. So believe me when I say,


    PS3lol.
    Edited by 1 at 17/12/08 @ 13:07

  • Azazel #50 3 years ago

    It just looks to me like Second Life. And Second Life is really fucking lame.

  • teabagger #51 3 years ago

    Erm, wasn't this debunked on Joystiq on Monday???

  • Kenshin001 #52 3 years ago

    Gaming "journalism", lol.

  • Raz76 #53 3 years ago

    Has it been officially delayed again, by the way. Or have they just resorted to saying "it's out" when asked about release, and "it's a beta", when asked why it's crap.

  • ryohazuki1983 #54 3 years ago

    Must be a slow news day, we've had this and the article about recruiters avoiding WoW players.

  • ps3owner #55 3 years ago

    I think we should be allowed to give each news item a score... out of 10 of course. Maybe Eurogamer could then create some stats and check which news items are newsworthy and which are just plain ol'shit.

    my score for this fantastic article is: 1/10

    I think that's the second 1/10 score. so we already agree that it's shit.

  • mikeck #56 3 years ago

    Ah nice... a perfect valid reason for me NOT to use Home then... not that I was impressed with it anyway from the closed beta.

    Do you not read other people's comments then...

  • sneetch #57 3 years ago

    @Weezer
    "Am I the only one who can't understand half of the comments here? What the FUCK is a 'DNS redirect-trick buffer overflow virus mod' and should I be scared of it?"

    Push Circle, Triangle, Up, Circle, Triangle, Down, Circle, Triangle, Up, Circle, Triangle, Start. ;)

    Yes, you should be terrified and writing letters to tabloids telling them about your ill-defined fears! That's how tabloids work!

    Of course you could just post it here on The Daily Outrage/Eurogamer. *cough* ;)

  • pommak #58 3 years ago

    Can't you take this misleading article away and inform that the news is complete bullshit? Seems like you don't seem to have any sense of responsibility which is pretty bad considering your audience.

  • Mongoose #59 3 years ago

    More impeccable reporting. Well done...

  • peterv #60 3 years ago

    I am actually comforted by the knowledge that Eurogamer does'nt know what the fuck they are talking about.
    Because i don't know what the fuck they are talking about either.

  • robg #61 3 years ago

    Oh come on, I can't believe anyone's worried about Home potentially spreading viruses...it's FREE! You don't have to have any sort of quality control, security or worth if it's free.

  • peterv #62 3 years ago

    @robg

    I could potentially spread a virus but is anybody worried*.




    *Besides my wife or the prostitutes i frequent.




  • Widge #63 3 years ago

    Can we have some new news now, my F5 OCD is getting the better of me.

  • andywilkie35 #64 3 years ago

    glad I haven't downloaded this tripe yet.

  • stepneg #65 3 years ago

    Great way to top of, "the year of teh PS3", although there is still plenty of time for something even more damaging to potential sales to come out yet. Saying that if I was after a bluray player that just happened to have a FREE botched online service full of virus they would get my money for sure.

  • Entity #66 3 years ago

    I'm just here for the 'shits and giggles'!

    Oh and to make pompous people add me to their ignore list.
    "Ho-Ho-Home"

  • RexRunti #67 3 years ago

    Yes we all know that the first hack isn't really a security issue as it requires the user of Home to use your DNS server which will only be you, but I haven't seen anyone actually prove that the second and third hacks aren't an issue, just dismissed as "liars". Feel free to point me in the right direction.

    This is how I'd imagine they'd work (and why you don't need administrators’ privileges). It is not unreasonable to expect that your PS3 sends and modifies files on Sony's servers as things like avatar and apartment information needs to be stored (it doesn't make much difference if it's a true file or an object or a hash in a database). We can assume your PS3 has write/modify privileges to do this. Those stored files need to be accessed by other people on Home so they no what your avatar/apartment looks like etc. presumably this means your PS3 has read privileges for other peoples files then. What this hacker has done is discover a way of intercepting, and understanding the processes involved in this (as proved by the DNS rerouting) and so can download other people’s avatar information and manually modify his own. This by itself is not necessarily cause for alarm as just replacing his avatar with a virus is a bit like trying to open a Word document with Excel (or trying to install OSX on a PS3 for a non MS example) it just won’t work. If however (and there is no evidence that this is the case… yet) there is a way to trick the PS3 to run some sort of executable code from these files (which could be possible after all Macs were tricked into running executable code form JPGs not too long ago or might already have the option for it built in (like macros in a Word document or Java in a webpage)) and Sony have serious problems.

  • interceptor #68 3 years ago

    This is Living
    :p

  • Tyronne #69 3 years ago

    When are Sony going to hire this bloke as it sounds like he has done the impossible and made home entertaining.
    Edited by 1 at 17/12/08 @ 16:09

  • Garulon #70 3 years ago

    "there is a way to trick the PS3 to run some sort of executable code from these files "

    What you're talking about there is a possible buffer overflow (or underflow) vunerability - exploiting that successfully would expose a user who downloaded the avatar data (by seeing the person in Home perhaps, so not *that* likely :) ) to, well, anything the hacker wants really. I'd imagine first port of call would be attaching the exploit to the compromised user's avatar, then writing something persistent to the disk bootloader.

    It's lucky Sony spent a lot of effort getting the security right, rather than handing over coding to the idiots who wrote "The Getaway" then rushing this thing out half-finished to hit some arbitrary marketing-point-scoring "ship date", right? Otherwise they'd be exposing their loyal PS3 userbase to all kinds of scary shit. Phew!

  • sneetch #71 3 years ago

    @evilfoxhound
    "I call bullshit spread by rival company."

    I agree, the logical initial step is to blame those dastardly fiends in [Rival company] who obviously must be responsible because they're not liked. [Rival company] also caused the global recession in a flimsily disguised attempt to slow PS3 sales!

    Straight to Conspiracy, awesome.

  • miiiguel #72 3 years ago

    ""I call bullshit spread by rival company."

    I call than comment a tin-foil hat bullshit. I mean, evilfox, do you really believe what you just said? What's the next step, Home is not so good because [Rival Company] put a curse on it ?

  • Zelos #73 3 years ago

    It's not just a DNS redirect attack, it's two separate attacks. The local hack is pretty meaningless, but if the other one is true then it's more serious I think.

    The article linked in the Engadget story is "down for maintenance", but you can read the google cache still. Basically, he's claiming that because Sony aren't encrypting the connection to Home, you can modify packets to the Home servers, allowing you to upload/download any file by changing URLs and POST data in requests from the PS3 client.

    I don't know if he's right or not, but it's pretty serious if so. It's not the kind of hack your average PS3 owner can do, of course.

  • sneetch #74 3 years ago

    @evilfoxhound
    "miiiguel, sneetch. I know people that you don't ;)"

    Yes, you do. Indeed I suspect that there's no overlap between the people I know and those you know. I find that fact very, very reassuring right now. ;)

  • JamieR #75 3 years ago

    I hope them hackers die trying to ruin things for peaple hackers are evil peaple

  • Chufty #76 3 years ago

    You can change the content of the packets sent to Home if you're really skilled, but that's not the same as uploading or downloading files, that's just sending junk data to the server which will fall over at the first hurdle unless Sony have not covered up some really, really basic security vulnerabilities.

    Also, if someone could get arbitary code to execute on the PS3 (which is what a virus would need to do), the FIRST thing they would do is dump the system firmware to a PC and start to decode it. Then, pretty soon, begins the unstoppable wave of PS3 games piracy.

  • smelly #77 3 years ago

    Most peoples idea of a "good" games review website - is one which gives the games on their machine high scores while giving games on other machines bad scores..


    .. That said.. A games website exists by criticising peoples hard work (i.e. reviewing games).. So therefor why not have people criticise their (as in the reviewers) work?

  • MaxiSleep #78 3 years ago

    ukshaun
    17-Dec-08 20:05:45
    @vorlon-man: +1 - EG deff appear to be anti Sony/PS3. Not that I care too much.
    I own a PS3 and am happy with it. Buying an MS console has about as much chance of happening, as me buying an EA game.
    Never gonna happen.


    Why?

  • Chufty #79 3 years ago

    Because he's stubborn?

  • Sulphur_Man #80 3 years ago

    Allegations of poor journalism, slights on our beloved Eurogamer hacks, embittered forum members slating each other...it's all too depressing.

    Then again, not as bad as actually being in HOME.

  • bioreit #81 3 years ago

    @ ukshaun

    "EG deff appear to be anti Sony/PS3. Not that I care too much.
    I own a PS3 and am happy with it. Buying an MS console has about as much chance of happening, as me buying an EA game.
    Never gonna happen.    "

    Welcome to Irony County. Population you.

    /was gonna add you obviously spend weekends in "Whinersville" along with vorlon-man, but couldn't make it snappy enough int he 4 seconds I thought about it.

  • Slipstream #82 3 years ago

    It's in BETA...that is all...

  • PAinKiLLa777 #83 3 years ago

    I see alot of people taking the piss out of home & all I want to add "its beta & if u cant see the potential from this beta then ur all dumber then u sound".

  • KKKJJJ #84 3 years ago


    Now that is a lot of brass air fittings http://ww w.liangdianup.com/subpages/airf... there is just about every type
    of air fitting that you could want. Wholesale prices too. I guess these could be used as small water pipe fitting also. I
    used some of the parts to make my babington wvo bu

  • davisorle #85 3 years ago

    MUST READ ;)

    http://me gagames.com/news/html/console/c...

  • seasidebaz #86 3 years ago

    There is only ONE WAY that this could possibly be used to spread a virus.

    Everything in Home is encrypted. The only thing that may not be are the Java applets on the arcade machines in the bowling alley. Replace one of those and there's a chance you could do some damage (highly unlikely though, as Home should be sandboxed from the rest of the PS3, and the applets won't have sufficient permission to run...)

  • Dave52 #87 3 years ago

    Davisorle: "MUST READ ;)"

    There seems to be a concerted effort by the (highly paid) press to talk up the death of the PS3. I'm guessing that MS are worried about PS3's potential in 2009.... And no - that's not tin-foil-hat wearing nonesense, it's common sense. I know a lot of people with both consoles and they are all bemused by the "360 is better than the PS3" garbage that the gaming media are constantly spouting. There is a biased - without a doubt.

    In fact, a number of people I know with both have actually hacked the 360 (because you can) and use it as a free demo system to decide which games to buy on the PS3.... go figure.

  • Dan234 #88 3 years ago

    It's in BETA...that is all...

    Because if they wrote "it's unfinished and rushed out" it wouldn't quite have the same ring to it, would it?

  • davisorle #89 3 years ago

    @Dave52

    About ppl paying to talk shit about the PS3.. SPECIALLY CNNmoney i'd think about it twice before I'd say something like that. I do agree it happens in most cases like stupid online websites cause they make their money that way but not CCNmoney. EG etc i don't care eitherway. I have an opinion of my own eitherway about mostly everything.

    I actually have a modded ( as u mentioned it "hacked" ) 360. I download everything and buy the good ones since i wouldn't spend so much for SO many games. Though this past couple of months too many good games = too many had to be paied for them :/

    But why test on the 360 and buy on PS3 and not on 360? lol makes no sence when the 360 has best performance in most games overall ( no matter the best hardware arguements its a fact that 360 version of mostly all games perform better ), best support both as updates, DLC and online behavior/suport..

    So most of the ppl i know have a hacked and a pure 360 from the ones that do it. None has a 360 to test and buy on PS3. It is kinda dumb imo.