Nintendo Switch
Image: Nintendo Life

Update: At the request of Conor, we have removed the exploit details from this article as it appears Nintendo is still working on a fix via their bug bounty platform.

Original Story: While Nintendo's Switch firmware updates are usually all about adding stability and getting rid of bugs, sometimes they inadvertently introduce problems of their own.

As discovered by Conor on his Pwnistry blog, Version 12.0 showcases an exploit that allows you to run your own Javascript code on any device that connects to a Switch (this is referred to as 'XSS', which stands for Cross-Site Scripting). He has also confirmed to us that, as of Version 12.0.1, the exploit still exists (it is possible it existed prior to 12.0, as the feature the exploit uses was present in Version 11.0).

Conor is keen to stress that this vulnerability does not allow the user to run unsigned code on the Switch, so it cannot be used to 'hack' the console in any way – but it could be used for potential mischief nonetheless.

He goes into a little more detail on how this attack could be implemented on his blog, and states that he has already alerted Nintendo of the exploit's existence, so it should be patched out fairly soon.