[Wccftech]: Bandai Namco was aware of Dark Souls security exploit for years. Doesn't look like consoles are affected.

[Morrigan]

Report: Bandai Namco was Aware of Dark Souls Security Exploit for Years

According to a VGC report, the exploit that's been affecting the PC version of Dark Souls I, II, and III has been around for years.

wccftech.com

Remember that Dark Souls exploit that caused a lot of trouble for PC users? Well, it turns out that Bandai Namco might have been aware of this issue for quite some time. According to a new report from VGC, multiple individuals have discovered the exploit as early as 2019. This means that Bandai Namco might've been aware of the issue for a long time... So, a repeat of the GOG Galaxy situation.

First off, an update on the current situation surrounding the PC versions of Dark Souls, Dark Souls II, and Dark Souls III. As of the writing of this article, Dark Souls' PC servers have remained offline to fix the exploit. For those in need of a refresher, this exploit allows players to introduce malicious code into the user's PC through the game's Invaders feature.

One of the people behind the discovery of the vulnerability told VGC that they had made Bandai Namco aware of the issue over a month earlier. As is common of cybersecurity incidents of this caliber, neither the publisher nor developer FromSoft acted upon the warning until it was made public.

Click to shrink...

Turns out it may also affect consoles, unlike what was previously thought:

Alarmingly, LukeYui also claimed that while they can't go into specifics as to avoid giving away the exploit details, the latest RCE could be used against console players without the attacker needing a jailbroken console.

Click to shrink...

Concerning Elden Ring and anti-cheats:

Of course, we wouldn't be talking about this issue without explaining how it's going to affect the hotly anticipated title Elden Ring. LukeYui explained that Elden Ring will have the exact same problem.

I've had the chance to see code from the closed network test and can already tell you that there are a lot of crashes and vulnerabilities in Elden Ring's netcode, the exact same ones as in Dark Souls III actually! So, I suspect it's going to take five minutes for cheaters from Dark Souls III to port their scripts to Elden Ring and make release day a hellscape.​

Now, some users might bring up the fact that the Elden Ring EULA talks about using Easy Anti-Cheat. LukeYui gave some insight on this manner, citing that while EAC will stop inexperienced cheaters, it won't stop people who have experience developing cheat tools. Additionally, should the player have some form of anti-cheat solution provided by the community, they risk getting their account banned by Bandai Namco themselves.

Why is that? Well, it turns out that Bandai Namco heavily discourages using protection mods for their games.

Click to shrink...

(More at the link)

-----

For further context, here is the revious thread on the topic which was largely about Dark Souls 3:

Major Dark Souls 3 PC security exploit found (UP: may affect ALL Dark Souls games on PC + possibly Elden Ring) [Update: Fan Patch Up]

Apparently playing online can cause other players in insert scripts into your game. Reddit link with info Maybe it could impact Elden Ring? Now I'm not sure about playing it on PC.....

www.resetera.com

To summarize: the exploit was discovered years ago and Bamco was tipped off, but did nothing. Then recently someone blew the whistle, forcing Bamco to shut down servers on all Dark Souls games on PC. Console versions were seemingly unaffected, but now it turns out that they might still be...! And worse, Elden Ring, which has gone gold and comes out in 3 weeks as of this writing, may have the same problem too. 😬 The difference is probably that on console, another player can't brick your console the way they could your PC, but still.

This is pretty bad. Unless there's a clear news from Bamco about patches (for console versions too) on all Dark Souls games and a day 1 patch for Elden Ring about this, I'm gonna have to play the game offline... And while the articles mention it's the invasion system that's to blame, I suspect the coop system could still have this exploit, or in other words, I don't trust the online at all outside of messages and bloodstains anymore. :(

Bamco (and possibly FromSoftware) ignoring the problem and sweeping it under the rug is really inexcusable, though. What the fuck.

 

[Soap]

Class action lawsuit for them then, and that's hooking no government watchdog picks up on it.

 

[GameAddict411]

This is so bad. I think the right thing to do is to either disable Elden Ring online for the main time or delay the release date.

 

[hydrophilic attack]

i ain't playing elden ring offline no way

i'd rather they delay it in that case

 

[The Albatross]

"this exploit allows players to introduce malicious code into the user's PC through the game's Invaders feature."

lol git gud


Really bad. Can't believe they've known about the exploit for a couple years and didn't act aggressively on it then.

 

[random88]

Awful stuff. Good thing I never partake in multiplayer during my first playthrough.

 

[shadowhaxor]

Of course, they've known about this for years. Except all they did was let this run rampant, and instead of doing something they banned legit players who ended up fucked. This is why I was honestly surprised when they finally did something. I suppose being so close to the release of Elden Ring and that it would be impacted was the deciding factor. Can't have one of the most anticipated games having this sort of issue.

There are hundreds of tales of people's games getting corrupted, characters hacked, items being hacked, and causing whoever picked up to get screwed up. While others have had hackers come into their games and have them sent to random locations. Some permanent stuck and forced to start new games if they didn't have a backup.

This is exactly why Blue Sentinel for Dark Souls 3 exists.

 

[SunshinePuppies]

Light these assholes up if true

 

[hydrophilic attack]

can't believe scamco was aware of this for years and didn't do anything

or well, i can actually

souls games deserve a better publisher tbh

 

[Lant_War]

i ain't playing elden ring offline no way

i'd rather they delay it in that case

Click to shrink...

Honestly wouldn't mind a few months delay so I can get it day 1

 

[CountAntonio]

Miyazaki taking invasion to the next level.

 

[Morrigan]

i'd rather they delay it in that case

Click to shrink...

Same, but if it's not happening, and it's not clearly fixed at release, I ain't risking my PS5. :\

 

[Takatomon]

If consoles are affected and it allows code execution, wouldn't it be possible to have a jailbreak entry with it? That'd be nuts.

 

[PanzerKraken]

So is this only really affecting PC players? Should I be getting Elden on console?

 

[entremet]

Won't play it or buy until it is patched.

 

[crespo]

More time for Witch Queen, I guess.

 

[Rover_]

daaaamn.

they really need to comunicate if they are gonna fix this for Elden Ring's launch.

 

[Deleted member 93062]

If consoles are affected and it allows code execution, wouldn't it be possible to have a jailbreak entry with it? That'd be nuts.

Click to shrink...

Maybe if a jailbroken PS4 user does it. Not sure how else you would do it. But interesting to think about.

 

[shadowhaxor]

So is this only really affecting PC players? Should I be getting Elden on console?

Click to shrink...

Nope. I recall console players running into hackers and hacked items that would brick their game saves.

daaaamn.

they really need to comunicate if they are gonna fix this for Elden Ring's launch.

Click to shrink...

I've been talking to a community manager and haven't been able to get an answer. They're definitely working on this, hence the Dark Souls servers still being down.

 

[Helix]

wait WHAT

 

[Patitoloco]

If consoles are affected and it allows code execution, wouldn't it be possible to have a jailbreak entry with it? That'd be nuts.

Click to shrink...

That's an interesting point. I'm sure the console stuff is pretty much impossible even if the article says otherwise, but these things are why many consoles managed to get pirated lol

 

[His Majesty]

This is very, very shitty behaviour from Bandai and From Soft.

 

[chefbags]

Going to be offline then.

 

[Dest]

Shit, delay Elden Ring 'til it's fixed then.

 

[White Glint]

Bamco sucks, what else is new.

 

[Vanta Aurelius]

This is why I feel good about playing these games offline. It's just not worth the stress.

 

[Diablos]

Is someone going to haxor our PS5's 🤔

 

[Craiji]

I wonder if Bloodborne or the Demon's Souls Remake (probably way less concerned about this one) also suffer from this?

 

[Griffith]

Assuming the release date isn't postponed, I recommend that everyone plays Elden Ring offline until further notice.

 

[Rover_]

Nope. I recall console players running into hackers and hacked items that would brick their game saves.
I've been talking to a community manager and haven't been able to get an answer. They're definitely working on this, hence the Dark Souls servers still being down.

Click to shrink...

yikes, it's clear: or they fix it in time or it's not a day one any longer :(

 

[Gunny T Highway]

Even if it is possible to affect consoles wouldn't it still be pretty hard to actually do it unlike PC to perform code execution? Either way I guess I will just play offline until a fix. They ain't delaying Elden Ring at this point.

 

[hydruxo]

I don't really care about online in Souls games anyways so I'm cool with playing Elden Ring offline

 

[SDBurton]

Their laziness coming back and biting them in the ass. lmao

 

[NeoBob688]

Where is the proof that they knew in 2019 though? the article doesn't provide that, it just says someone in the community knew

 

[Aeroucn]

Holy YIKES, so will they launch Elden Ring without online or what

 

[Helix]

Miyazaki taking invasion to the next level.

Click to shrink...

LMAO

 

[IIFloodyII]

Well offline it is, not risking my PS5 for a feature I don't care too much for. Even if it's only a might.

 

[julia crawford]

How can you be aware of an ACE exploit in your system and not immediately stop everything to fix it...? I'm hoping this is some weird combination of licenced software that they cannot change or something that they have a very hard time auditing or whatever because otherwise this is dangerously incompetent.

Kind of suspect this is one of those "someone coded this and they've been gone for a decade and no one can read this" kinds of things.

 

[EagleClaw]

Good thing i almost never get invade.
Maybe because im NAT Type 2.

But fix that stuff yesterday...

 

[entremet]

I like the online component with these games. Playing offline is a bit wack imo.

 

[Morrigan]

Where is the proof that they knew in 2019 though? the article doesn't provide that, it just says someone in the community knew

Click to shrink...

It's there:

On a more concerning note, VGC also reported that the publisher of the series has been notified of another RCE as far back as 2020. Even more worrying is the fact that the issue has remained unfixed.

Another member of the Dark Souls community told VGC they made the games' publisher aware of a second, yet to be made public RCE as far back as in 2020 and that it remains unfixed.

Click to shrink...

Click to shrink...

And the 2019 one:

VGC talked with Reddit user LukeYui regarding the current incident. The user has talked about how they have made numerous reports about cheats and vulnerabilities in Dark Souls III to Bandai Namco. One of the most severe being the New Game+ exploit which was first reported by LukeYui in 2019.

Click to shrink...

 

[MeltedDreams]

The game is launching with disabled online, isn't it? It's somehting they should do if can't fix it with day 1 update. What a shit show.

 

[Henrar]

If consoles are affected and it allows code execution, wouldn't it be possible to have a jailbreak entry with it? That'd be nuts.

Click to shrink...

No, console games are sandboxed and there would need to be another vulnerability in the sandbox itself for that to be possible.

 

[Pyro]

Shitty but not surprising at all.

 

[Gunny T Highway]

Where is the proof that they knew in 2019 though? the article doesn't provide that, it just says someone in the community knew

Click to shrink...

It is probably all speculation, but Woolie in the latest Castle Superbeast podcast said that companies tend to ignore exploits like this quite often when there is a small chance of the exploit being found. It is thrown in as a C-Class or lower bug class and just ignored by the devs.

 

[Griffith]

Where is the proof that they knew in 2019 though? the article doesn't provide that, it just says someone in the community knew

Click to shrink...

There's no evidence that people knew about it but everyone that plays Dark Souls on PC knew how bad the exploits could be. I've lost at least a couple of save-files because of it and nowadays (or at least before servers were taken down) I'd only play them with a community-made add-on that helps protect or disconnect you from a cheater if one connect to your world. It wasn't a secret that these sort of exploits were around and they were never addressed.

 

[ZmillA]

please wait for Elden to release before filing lawsuits

 

[canderous]

So, I suspect it's going to take five minutes for cheaters from Dark Souls III to port their scripts to Elden Ring and make release day a hellscape.

Click to shrink...

That doesn't sound ideal.

 

[SteamyPunk]

How come we've never heard of this kind of thing with other games? Sure it's not all overblown?

 

[EntelechyFuff]

I like the online component with these games. Playing offline is a bit wack imo.

Click to shrink...

Big agreement here. Hopefully consoles are not affected...and even if they are I'll probably stay online anyway.