Nintendo Switch Ships With Unpatched 6-Month-Old WebKit Vulnerabilities

An anonymous reader quotes a report from Ars Technica: Nintendo's Switch has been out for almost two weeks, which of course means that efforts to hack it are well underway. One developer, who goes by qwertyoruiop on Twitter, has demonstrated that the console ships with months-old bugs in its WebKit browser engine. These bugs allow for arbitrary code execution within the browser. A proof-of-concept explainer video was posted here. The potential impact of these vulnerabilities for Switch users is low. A Switch isn't going to have the same amount of sensitive data on it that an iPhone or iPad can, and there are way fewer Switches out there than iDevices. Right now, the Switch also doesn't include a standalone Internet browser, though WebKit is present on the system for logging into public Wi-Fi hotspots, and, with some cajoling, you can use it to browse your Facebook feed. The exploit could potentially open the door for jailbreaking and running homebrew software on the Switch, but, as of this writing, the exploit doesn't look like it provides kernel access. The developer who discovered the exploit himself says that the vulnerability is just a "starting point."

You say vulnerability, I say opportunity

[Opportunist]

You see, on consoles such things get fixed incredibly quickly. Not because console makers are security conscious, but because such holes allow people to actually own the consoles they paid for.

Re:You say vulnerability, I say opportunity

[The+MAZZTer]

I am quite understanding of console makers' desire to protect their consoles from running pirated games. I am less understanding when their anti-piracy measures go as far as to block backups of saved games, which means if you have to send your console in for repair all your saved games may very well get wiped. There are already horror stories about the Switch in this regard. I fully support homebrew on the Switch if only to fix this intentional flaw. If it enables piracy in the process, too bad for Nintendo. They should have learned their lessons like Valve did when they created Steam and totally owned the PC gaming market.

Re: IoT bots?

Good thing Nintendo hasn't pushed the device as something you'd frequently take out in public and connect to random hotspots or anything.

Re:There's a shock.

[jonwil]

Sony has been bitten by browser bugs on PS4 as well (and in fact such bugs have been used by people looking to jailbreak the system)

A non-issue, just update the device!

[adosch]

That's great there's an announcement of using an outdated Webkit framework on the Nintendo Switch. Is this anything new? How's that any different if I got some IoT device to a smart phone (Android or iPhone) to installing any Windows/Linux OS to an Xbox/Playstation? Does what I had deployed out of the box already have packages that are already part of security updates that need to be updated?

Fun to report from a journalism perspective, but definitely not news or anything to debate. Just update the Nintendo Switch and stop the huge reach of trying to criticize the console or Nintendo feebly.

Early soft-mods?

[wardrich86]

This sounds like good news to me... if it allows unauthorized code to be run, it could very well be the beginning of the homebrew scene!

Mission Critical?

[DatbeDank]

While all holes and bugs should be fixed, this reads as FUD for me. Maybe those considering using their Nintendo Switches for accessing nuclear launch systems, banking software, and power infrastrucures should refrain from doing so.