A security researcher known as kinnay has discovered a significant vulnerability in the matchmaking systems of the Nintendo 3DS , Wii U , and Nintendo Switch consoles , reported in 2018 through the bug bounty platform HackerOne (report #469997).
While the issue has since been fixed by Nintendo , the report was only made public today , sparking some interest in the cybersecurity community due to the severity of the bug and the long period of time that passed before it was made public.
A Vulnerability at the Heart of Matchmaking
The vulnerability resided in the UnicodeToUtf8 function , which is used to convert IP addresses from a platform-specific format to UTF-8 during the matchmaking process.
This process allows consoles to establish direct connections via NAT traversal, a mechanism that allows devices behind NAT networks to communicate through a central server.
However, a bug in the handling of IP inputs caused a stack overflow, opening the door to potentially devastating exploits. According to the summary provided by kinnay and Nintendo , an attacker could exploit this vulnerability to:
- On Nintendo 3DS and Switch : Cause the game to crash, or in more severe cases, achieve Remote Code Execution (RCE) by bypassing Address Space Layout Randomization (ASLR) protections.
- On Wii U : Exploit the lack of ASLR to execute remote code immediately via Return-Oriented Programming (ROP) techniques.
- Attack Amplification : Due to the design of the NAT traversal system, an attacker could send malicious data to multiple consoles simultaneously through a single request to the server, increasing the potential impact.
The vulnerability, if exploited, could have compromised the gaming experience of thousands of users or, in the worst case, allowed unauthorized access to devices.
Nintendo’s response and the long wait for the release
Nintendo took action to mitigate the issue by implementing IP address validation on the server before forwarding them to the consoles, an effective fix that closed the vulnerability.
However, the report, originally reported in 2018, remained confidential until its public release in 2025, as confirmed by recent posts on X celebrating Kinnay’s work.
This long wait may reflect the responsible disclosure process, where details are published only after the vulnerability has been fully fixed and no longer poses a risk.
Source: x.com
Dịch Vụ Chép Game Tại TP.HCM – Hỗ Trợ Tất Cả Quận
Chép Game Ổ Cứng Ngoài Giá Rẻ – Hỗ Trợ PS, Xbox, Nintendo, PC
Dịch Vụ Chép Game PSP Giá Rẻ – Game Việt Hóa Cập Nhật Mới Nhất
Dịch Vụ Chép Game PSVITA Giá Rẻ – Game Việt Hóa Cập Nhật Mới Nhất
Dịch Vụ Chép Game PS2 Giá Rẻ – Game Việt Hóa Cập Nhật Mới Nhất
Dịch Vụ Chép Game NINTENDO SWITCH Giá Rẻ – Game Việt Hóa Cập Nhật Mới Nhất
Dịch Vụ Chép Game PS5 Giá Rẻ – Game Việt Hóa Cập Nhật Mới Nhất
Dịch Vụ Chép Game XBOX 360 Giá Rẻ – Game Việt Hóa Cập Nhật Mới Nhất
Dịch Vụ Chép Game PS3 Giá Rẻ – Game Việt Hóa Cập Nhật Mới Nhất
Dịch Vụ Chép Game PS4 Giá Rẻ – Game Việt Hóa Cập Nhật Mới Nhất
Dịch Vụ Chép Game PC Giá Rẻ – Game Việt Hóa Cập Nhật Mới Nhất