Introduction

In this write-up, I will share my discovery of a Critical Authentication Bypass vulnerability on a testing environment for Sony (qa.[REDACTED].sony.com.sg) in July 2025. This flaw allowed anyone to log in to any account — including potentially administrative ones — without needing a valid password, simply by knowing a username.

Note: This write-up is part of my new blog documentation series, where I am re-archiving my previous security findings with a fresh perspective and updated formatting. You can find the original version of this report here.

Phase 1: Reconnaissance (The Power of Google Dorks)

On July 14, 2025, I started my research by looking for subdomains that might be overlooked or used for testing purposes. Using a manual approach with effective Google Dorks, I was able to filter the search results and narrow down the attack surface:

Queries Used:

  • site:sony.com -www
  • site:*.*.sony.com
  • site:*.*.sony.*.*

Important Note:

When using these dorks, don't forget to scroll to the last page and click on: "Repeat the search with the omitted results included" Google often filters out results it deems redundant, but for a researcher, these "omitted" links are a goldmine — they might expose hidden endpoints or subdomains that don't appear in the standard search.

None
Figure 1: Expanding search results to include omitted entries.

Target Identified: https://qa.[REDACTED].sony.com.sg

The "QA" prefix indicated a testing environment, which often contains vulnerabilities not present in production.

Phase 2: Discovery & Analysis

Upon navigating to the site, I focused on the Login Functionality at /Login.aspx.

Initial Probe: I attempted to log in using a known or common username (e.g., SALEH) while providing a completely incorrect password like 123 or even leaving it empty.

Observing the Logic: Unlike secure systems that validate credentials, the application's backend appeared to only check if the username existed in the database. By entering a valid username and any string in the password field, the system granted me full access to the account.

Breaking the Authentication: This confirmed a total bypass of the authentication mechanism. The application failed to perform proper password verification, allowing me to impersonate any user on the platform simply by knowing their username.

Phase 3: Proof of Concept (PoC)

After confirming the bypass, I documented the impact to show how easily an account could be compromised.

Steps:

  1. Enter a valid username in the username field.
  2. Enter any random value in the password field.
  3. Click the Login button.

Result: The system successfully authenticated the session and redirected me to the user dashboard.

Proof of Concept Video:

Impact: A successful Authentication Bypass on this endpoint could allow an attacker to:

  • Full Account Takeover: Accessing sensitive internal data.
  • Privilege Escalation: Impersonating administrative accounts.
  • Data Manipulation: Modifying, uploading, or deleting records within the system.

Recognition & Appreciation

After the vulnerability was resolved, I was honored to be included in Sony's Hall of Thanks and received Sony Swag as a thank you for my contribution to their security.

None
Figure 2: My name listed in Sony's official Hall of Thanks.

Being recognized by such a major company is a great motivation to continue securing the web!

None
Figure 3: Custom Sony Swag (Front view) awarded for identifying the Critical vulnerability.
None
Figure 4: Custom Sony Swag (Back view) awarded for identifying the Critical vulnerability.

Timeline & Resolution

  • July 14, 2025: Report submitted to Sony.
  • July 15, 2025: Report Triaged (Severity: Critical 9.1).
  • July 18, 2025: Vulnerability confirmed as Resolved & Swag rewarded.
  • July 18, 2025: Name added to Sony Hall of Thanks.

Contact me:

Thank you for reading! If you enjoyed this write-up, feel free to follow for more security research and findings.

By: ItsS4LEH