PlayStation Now Fixes Vulnerability That Allowed Attackers to Run RCE on Windows PCs

A critical flaw in the PlayStation Now cloud application could have let attackers inject malicious code on Windows-operating devices.

The vulnerability was reported on May 13 by bug hunter Parsia Hakimian, and fixed on June 25 by the online gaming giant.

The bug, residing in an insecure AGL application, affected PlayStation Now versions 11.0.2 and earlier on machines running Windows 7 SP1 and later.

“The PlayStation Now application version 11.0.2 is vulnerable to remote code execution (RCE),” Hakimian said. “Any website loaded in any browser on the same machine can run arbitrary code on the machine through a vulnerable websocket connection.”

In his description of an attack, Hakimian said a threat actor could send a malicious script to users through online forums or Discord. By accessing the link on their computer, malicious scripts on the website connect to the local WebSocket server [ws://localhost:1235] and ask AGL (Electron application) to load and run malicious Node code on the target’s device.

“Any JavaScript loaded by AGL will be able to spawn processes on the machine. This can lead to arbitrary code execution,” the bug hunter added. “The AGL application performs no checks on what URLs it loads.”

The findings landed the researcher a whopping $15,000 bounty awarded by PlayStation’s HackerOne bug bounty program.

The fix couldn’t have come at a better time for the gaming community since the cloud-gaming service has gained more than 2.2 million subscribers by April 2020.