Update: At the request of Conor, we have removed the exploit details from this article as it appears Nintendo is still working on a fix via their bug bounty platform.
Original Story: While Nintendo's Switch firmware updates are usually all about adding stability and getting rid of bugs, sometimes they inadvertently introduce problems of their own.
As discovered by Conor on his Pwnistry blog, Version 12.0 showcases an exploit that allows you to run your own Javascript code on any device that connects to a Switch (this is referred to as 'XSS', which stands for Cross-Site Scripting). He has also confirmed to us that, as of Version 12.0.1, the exploit still exists (it is possible it existed prior to 12.0, as the feature the exploit uses was present in Version 11.0).
Conor is keen to stress that this vulnerability does not allow the user to run unsigned code on the Switch, so it cannot be used to 'hack' the console in any way – but it could be used for potential mischief nonetheless.
He goes into a little more detail on how this attack could be implemented on his blog, and states that he has already alerted Nintendo of the exploit's existence, so it should be patched out fairly soon.
[source pwnistry.com]
Comments 9
Doesn't sound like anything I need to be concerned with, but thanks for the heads up!
@PoliticallyIncorrect
i love your pic bro!
Hey thanks bro! I guess it reflects my age, but I loved the comic and games.
@PoliticallyIncorrect the exploit really does nothing apart from compromise your system so nothing is lost here
@huyi Absolutely nothing is going to happen to my system. Perhaps I'm mistaken, but it almost sounds as if the fact that it doesn't bother me, bothers you.
XSS vulnerabilities are generally a problem because it can be used to perform actions as the user on the site the code is injected in to or to change the content of that site to something of the attacker’s choosing.
In this case the “site the code is injected into” is 192.168.0.1 on the switch’s ad-hoc wifi network so there is likely very little risk here. It is essentially the risk you take clicking on any link anyone sends you on your smart device. (The JavaScript runs on the device connecting to the switch — perhaps another switch? — in the web browser in the context of the 192.168.0.1 “domain”)
An example of where XSS would be a problem (but which is NOT the case here) would be if Nintendo’s actual website had an XSS flaw. In that case the XSS could potentially be used to take over your Nintendo account or to link you to an “official” Nintendo.com page with content of the attacker’s choosing on it.
For more information see: https://owasp.org/www-community/attacks/xss/
A pretty useless exploit. Not sure it even needs to be patched considering the limitations.
Sounds possible to hack w/ it. Interesting...
Too bad they still haven't patched the annoying internet freeze bug on the 3DS.
If my wifi box is on, but isn't connected to the internet yet (sometimes it restarts). The 3ds will still connect to the box and assume there is internet. Although, upon opening the browser when no internet is available, the system will immediately freeze.
Show Comments
Leave A Comment
Hold on there, you need to login to post a comment...