Nintendo has just discreetly corrected a critical security flaw in several games available on Switch, 3DS and Wii U. This extremely serious vulnerability allowed a hacker to execute arbitrary code on a console. It was enough for that to play online with the victim.
While the Zelda Tears of The Kingdom special edition of the Switch has just leaked on the web, we have just learned of the existence of a very serious security flaw spotted on several cult games from the manufacturer.
This vulnerability, dubbed ENLBufferPwn, was discovered in several Switch, 3DS and Wii U titles by hackers PabloMK7, Rambo6Glaz and FishGuy6564. Before going into detail, note that Nintendo fixed this exploit in Mario Kart 8 Deluxe, Animal Crossing: New Horizons, ARMS, Splatoon 2 and Super Mario Maker 2.
Splatoon 3, Mario Kart 8 but Mario Kart 7 are also part of the titles concerned. If you wonder why Mario Kart 7 got an update after so many years, that’s the reason. As PabloMK7 explains in a thread on Twitter, this vulnerability allowed “when combined with other flaws in the OS” an attacker to take full control of the victim’s console, in order to “steal sensitive information or take video and audio recordings”.
Also read: The Nintendo Switch is now more eco-friendly, here’s how
Here is ENLBufferPwn (CVE ID pending), a severe vulnerability in many first party 3DS, Wii U and Switch games. It allows remote code execution in a victim console by just having an online game session with an attacker.
Vulnerability report: https://t.co/QbvXKQLeDf
?(1/7) pic.twitter.com/4qewU5YQ9x—PabloMK7 (@Pablomf6) December 24, 2022
To do this, it sufficed that the pirate manages to play online with/against his target in one of the games mentioned above. Faced with such a threat, the exploit obtained a severity score of 9.8 out of 10 in the CVSS V3 Calculator, the system used to categorize vulnerabilities according to their dangerousness.
According to Pablo MK7, this flaw was repeatedly reported to Nintendo between 2021 and 2022 through its bug hunting program. The hacker explains to have obtained a reward of 1000 dollars for his contribution. “I would also like to thank Nintendo for giving me the opportunity to collaborate in the discovery and investigation of this vulnerability, and for devoting resources to fixing it in older titles. I hope these actions have helped create a safer online gambling environment.” he writes on the blue bird.
Source: Eurogamer