Nintendo Switch Ships With Unpatched 6-Month-Old WebKit Vulnerabilities

An anonymous reader quotes a report from Ars Technica: Nintendo's Switch has been out for almost two weeks, which of course means that efforts to hack it are well underway. One developer, who goes by qwertyoruiop on Twitter, has demonstrated that the console ships with months-old bugs in its WebKit browser engine. These bugs allow for arbitrary code execution within the browser. A proof-of-concept explainer video was posted here. The potential impact of these vulnerabilities for Switch users is low. A Switch isn't going to have the same amount of sensitive data on it that an iPhone or iPad can, and there are way fewer Switches out there than iDevices. Right now, the Switch also doesn't include a standalone Internet browser, though WebKit is present on the system for logging into public Wi-Fi hotspots, and, with some cajoling, you can use it to browse your Facebook feed. The exploit could potentially open the door for jailbreaking and running homebrew software on the Switch, but, as of this writing, the exploit doesn't look like it provides kernel access. The developer who discovered the exploit himself says that the vulnerability is just a "starting point."

You say vulnerability, I say opportunity

[Opportunist]

You see, on consoles such things get fixed incredibly quickly. Not because console makers are security conscious, but because such holes allow people to actually own the consoles they paid for.

Re:

[BronsCon]

2 million units, 2 (a couple) thousand vocal complainers, that's a 0.1% defect rate. One in one thousand. And that's just the vocal complainers; now, factor in that they're the minority. In what world is a 0.1% defect rate acceptable outside of dollar stores and clearance centers? A 0.1% defect rate is what destines a product for those places. Hopefully, Nintendo will fix these issues in short order, support the Switch for a reasonable time, then exit the console market entirely.

Don't get me wrong, I love

Re:

[ArmoredDragon]

The hardware issues are largely overblown. It's just a combination of hype around the release, a lot of press coverage, and a shortage of replacement stock. The vast majority have no problems with their hardware. They sold 2 million pre-orders, and you're hearing maybe a couple of thousand vocal complainers, the true failure rate is well under 1%.

I kind of doubt that. While I'm not interested in owning one of these (or any console for that matter) a complaint that seems universal at this point is that they use a plastic touchscreen with a plastic dock that has no means of buffering the display against scratches. That invariably means a high number of these are going to have scratched/scuffed screens just because of normal use. That is by definition a defect, and basically 100% of them are affected.

Also, as a universal rule in quality control for any

Re: You say vulnerability, I say opportunity

[Anonymous Coward]

Well, you sure convinced me. Now time to go track down a copy of the new Zelda game on PC...

Re: You say vulnerability, I say opportunity

[endercase]

Or an emulator or ton of time working with wine.

Re:

[geminidomino]

It wouldn't if people used it correctly.

It begs the question:

Are you being intentionally ironic?

Re:

[wonkey_monkey]

It begs the question:

Hoo. I'd like to think you did that deliberately, but...

Re:

[wonkey_monkey]

It makes as much sense as "this!"

Re: You say vulnerability, I say opportunity

[Zero__Kelvin]

Of course you can. When you try to do so as the car literally won't let you get back to us.

Re:

[The MAZZTer]

I am quite understanding of console makers' desire to protect their consoles from running pirated games. I am less understanding when their anti-piracy measures go as far as to block backups of saved games, which means if you have to send your console in for repair all your saved games may very well get wiped. There are already horror stories about the Switch in this regard. I fully support homebrew on the Switch if only to fix this intentional flaw. If it enables piracy in the process, too bad for Nintendo

Re:

[Opportunist]

If you can manipulate save games, it may well open up an exploit that can trigger a flaw that allows you to compromise the system.

Game makers are notorious for forgoing sanity checks on save games.

Re:

[tlhIngan]

I am quite understanding of console makers' desire to protect their consoles from running pirated games. I am less understanding when their anti-piracy measures go as far as to block backups of saved games, which means if you have to send your console in for repair all your saved games may very well get wiped. There are already horror stories about the Switch in this regard. I fully support homebrew on the Switch if only to fix this intentional flaw. If it enables piracy in the process, too bad for Nintendo

Re: You say vulnerability, I say opportunity

[Anonymous Coward]

Well, I hope I never grow up.

Re:

[DrXym]

And by "actually own" you mean "pirate stuff". Consoles are closed platforms because the billions in profits come from making you pay to play stuff on the thing. This should not come as a shock to any prospective owner.

Owners who bought it on the basis of being a closed system should be glad its kept closed because it means more premium titles for them to play and a platform which isn't dead before its time. Exploited systems rapidly descend into a cesspit of shovelware and an early grave.

Re:

[adolf]

So every hacked console, ever (which is just about all of them except the current gen), was a dismal failure?

Re:

[DrXym]

Yes by the measure of what it could have been without those hacks. Platforms that don't or can't be fixed (e.g. DS, Wii) get blackballed or 3rd parties churn out shovelware because there is no profit from aiming any higher.

Re:

[DrXym]

Don't be absurd. Billions are lost from cracked consoles. This is quite evident by observing the roaring trade in DS revolution style cartridges that allowed people to play "backups" (i.e. pirate copies). It can also be observed by the quality of titles on platforms that get pirated. Quality falls off a cliff and all that sells is shovelware and a few 1st party titles. Honest owners suffer as much as the platform does from this drop in quality.

If the Switch is irrevocably hacked this early in its life it

Re:

[DrXym]

There is no "blatant violation" because there is no reasonable expectation when purchasing a console that you should be able crack the hardware/software, or that if you do that the manufacturer should still provide service to your device.

Hack away but consoles manufacturers are totally in their rights to block your device, sue you under the right circumstances, ban you online, or patch the firmware so new games won't play.

Re:

[adolf]

We can't measure against what they could have been, because we cannot know how that road would have played out.

You're presenting speculation and opinion as fact.

Come back with a real argument, mmkay?

Re:

[e r]

Do you use Windows? More to the point, do you use Windows 10?

Re:

[Opportunist]

I have to use Win7, what's your point?

Re:

[e r]

Use an OS that allows you to actually own the computer you paid for instead of using Windows.

There's a shock.

[fuzzyfuzzyfungus]

Has Nintendo ever done a decent job with software that isn't a game?

Re:

[SpaghettiPattern]

Has Nintendo ever done a decent job with software that isn't a game?

Chill out buddy. Our whole life is a game. Enjoyment over finishing #1.

Re:There's a shock.

[jonwil]

Sony has been bitten by browser bugs on PS4 as well (and in fact such bugs have been used by people looking to jailbreak the system)

Re:

[_merlin]

Remember when NetFront actually wrote a browser, rather than wrapping WebKit? I had the NEC e606 and e616 phones that had the actual NetFront mobile browser. It made a decent effort to render pages on a tiny screen and make them usable with just the eight-way controller.

Re:

[CronoCloud]

I remember, pre-webkit Netfront was a piece of crap on the PSP and PS3.

Re:

[drinkypoo]

Has Nintendo ever done a decent job with software that isn't a game?

What do you mean by 'decent job'? And what do you mean by 'Nintendo'? And for that matter, what do you mean by 'done'?

If what you mean by 'decent job' is 'free from obvious security holes which could be utterly eliminated by following best practices' then no. No they have not. Everything they've ever done of any complexity has had holes in, and lots of. They patch it over and over as a result (at least, now we're in the era of the patch.) If what you mean is 'works well for users not trying to exploit it' t

Re: IoT bots?

[Anonymous Coward]

Good thing Nintendo hasn't pushed the device as something you'd frequently take out in public and connect to random hotspots or anything.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[mcfedr]

Just because everyone does something crap doesn't make it ok - if Nintendo cared at all about their customers they wouldn't do this.

Re:

[nate_in_ME]

I've had a Switch since day one, and I've had a total of 3 updates:

• "Day one" system update that enabled eShop and other features
• Update to enable SD card storage(maybe that was just because I put an SDXC in it, not sure)
• "Day one" update for Zelda (not sure what it did, but it was there)

For what it's worth, none of these updates took more than 2-3 minutes to do. Would the system have been usable without them? Most likely (except for maybe the SD card one). So are there updates? Yes. Is it a "required"

Re:

[EvilSS]

Has anyone actually reported dead pixels? Everyone was spazing out over their dead pixel written policy (which is the same as just about every other LCD device manufacture's written policy) but I haven't seen any reports of people with actual dead pixels on their displays.

Early soft-mods?

[wardrich86]

This sounds like good news to me... if it allows unauthorized code to be run, it could very well be the beginning of the homebrew scene!

Re: No hacking involved

[Zero__Kelvin]

And like a 5 year old you will discover that your "easy" scheme doesn't actually work.

Mission Critical?

[DatbeDank]

While all holes and bugs should be fixed, this reads as FUD for me. Maybe those considering using their Nintendo Switches for accessing nuclear launch systems, banking software, and power infrastrucures should refrain from doing so.

Re:

[Shados]

the main issues with consoles is that game publishers absolutely look at piracy numbers when picking what platforms to target.

This is (if i remember well...who reads the article?) just a userland bug right now, but once you can run pirated games, it gets noticed, and sometimes publishers will chose to skip the console for their next big game if it gets too bad (the DS ease of piracy was totally one of the factors that kept the PSP on the map back then).

So for a console that is already under heavy scrutiny f

Re:

[geminidomino]

No, things haven't changed much. The DS and 3DS also have very easy methods of piracy, and that didn't stop either of them from absolutely dominating the handheld market.

I'm pretty sure GP's "piracy dooms systems to obscurity" meme is borne of the oversimplified copypasta about the failure of the Dreamcast.

Re:

[Nethemas the Great]

It is FUD. Do people think Nintendo built all these devices the day before shipping?

Re:

[barc0001]

It's Ars Technica. They make a hobby of bashing Nintendo any way they can.

Re:

[barc0001]

You mean this review?

https://arstechnica.com/gaming/2017/03/nintendo-switch-review/

Check the closing words:

"Time to make the Switch?

At this point, it looks like buying the Switch as your only game console means missing out on everything from Mass Effect and Call of Duty to The Witcher and Assassin's Creed to Tomb Raider and Destiny. That list can go on and on. Maybe those major franchises will eventually be forced to pay attention to a Switch that absolutely flies off the shelves. For now, though, relying o