A critical bug that has been fixed in the PlayStation Now app for Windows could be used by malicious sites to execute arbitrary code. Let me remind you that this service is already used by over 2,000,000 people.
The vulnerability was discovered this summer by cybersecurity expert Parsia Hakimian and reported through the recently launched official PlayStation bug bounty program on HackerOne. The issue affected PS Now version 11.0.2 and earlier on computers running Windows 7 SP1 or later.
The researcher found that due to problems connecting to the application via a web socket, sites opened in any browser could send requests to the application and load malicious URLs, which could then trigger arbitrary code execution on the system.
Essentially, the app set up a local web socket server that did not check the source of incoming requests, which allowed sites to send PlayStation Now requests. To successfully exploit this error, attackers must convince the PS Now user, whose device they want to hack, to open a specially crafted malicious site. For example, by sending a link to such a resource in a phishing email, leaving it on the forum, on the Discord channel, and so on.
In addition, the Electron AGL app launched by PlayStation Now may have been instructed to load specific sites using commands sent to the server’s web socket. AGL could also be used to run local applications. Moreover, the AGL Electron application allowed JavaScript to trigger new processes on loaded web pages, essentially making the code run as well.
Currently, the critical bug has already been fixed, and Hakimian received a reward of $15,000 for his discovery, despite the fact that the vulnerability did not fall under the conditions of the bug bounty: it affected a Windows application, and involved not one of target systems, included in the program (PlayStation 4 and PlayStation 5 systems, operating systems, accessories, or PlayStation Network.).
Let me remind you that the researcher accidentally found a 0-day bug in Windows 7 and Windows Server 2008.
