A critical flaw in the PlayStation Now cloud application could have let attackers inject malicious code on Windows-operating devices.
The vulnerability was reported on May 13 by bug hunter Parsia Hakimian, and fixed on June 25 by the online gaming giant.
The bug, residing in an insecure AGL application, affected PlayStation Now versions 11.0.2 and earlier on machines running Windows 7 SP1 and later.
“The PlayStation Now application version
11.0.2 is vulnerable to remote code execution (RCE),” Hakimian said. “Any website loaded in any browser on the same machine can run arbitrary code on the machine through a vulnerable websocket connection.”
In his description of an attack, Hakimian said a threat actor could send a malicious script to users through online forums or Discord. By accessing the link on their computer, malicious scripts on the website connect to the local WebSocket server [ws://localhost:1235] and ask AGL (Electron application) to load and run malicious Node code on the target’s device.
The findings landed the researcher a whopping $15,000 bounty awarded by PlayStation’s HackerOne bug bounty program.
The fix couldn’t have come at a better time for the gaming community since the cloud-gaming service has gained more than 2.2 million subscribers by April 2020.