Switch’s Latest Firmware Update Contains A Javascript Exploit, But Don’t Worry Too Much
© Nintendo LifeWhile Nintendo’s Switch firmware updates are usually all about adding stability and getting rid of bugs, sometimes they inadvertently introduce problems of their own.
As discovered by Conor on his Pwnistry blog, Version 12.0 showcases an exploit that allows you to run your own Javascript code on any device that connects to a Switch using the new ‘Screenshot Transfer’ utility (this is referred to as ‘XSS’, which stands for Cross-Site Scripting). He has also confirmed to us that, as of Version 12.0.1, the exploit still exists (it is possible it existed prior to 12.0, as the screenshot transfer tool the exploit uses was present in Version 11.0).
Conor is keen to stress that this vulnerability does not allow the user to run unsigned code on the Switch, so it cannot be used to ‘hack’ the console in any way – but it could be used for potential mischief nonetheless.
As Conor explains:
This exploit utilises a feature that was introduced in SwitchOS 11.0, specifically a new method to transfer screenshots from the Switch to a phone or another device. The way this feature would work is:
1) The Switch would set itself up as a wireless access point with credentials given out via QR code
2) The Switch would set up a webserver on that access point, containing the Console Nickname, which is set in the Switch’s Settings menu by the user, and the photos the user wanted to share.
He goes into a little more detail on how this attack could be implemented on his blog, and states that he has already alerted Nintendo of the exploit’s existence, so it should be patched out fairly soon.
