The Dark Souls 3 security issues that resulted in its PvP servers being pulled offline have been brewing for a long time, according to the person who brought it to the public’s attention with a high-profile exploit.
According to an interview with Fanbyte (opens in new tab), the person behind the January attack – which consisted of crashing a streamer’s game (opens in new tab) then causing their computer to read off some copypasta text via Windows’ text-to-speech function – goes by nrssr for privacy reasons. They pulled off the hack to raise awareness of a critical security flaw they had privately raised with Bandai Namco customer support early in December 2021. A response from the support team said it would pass along nrssr’s report to security teams working on the game, but it seemingly took its time.
“Given FromSoftware’s track record about fixing exploits in their online games, I was not expecting them to act quickly,” nrssr told Fanbyte. “I wanted to make sure the community had some form of protection ASAP.”
This issue is especially troubling because it allows hackers to take control over the functions of their victim’s system even beyond the confines of the game; in IT security parlance, it’s a Remote Code Execution (RCE) vulnerability. Fortunately, nrssr says they only exploited this vulnerability the one time to raise attention and have never released the info on how to replicate it to the public.
The bad news is that other community security researchers have found the same underlying vulnerability in the code for Elden Ring‘s previous network test, according to nrssr. That doesn’t mean it will lead to the same issues, since the way Elden Ring functions might not allow for a similar exploit. Even if it does, FromSoftware may be furiously patching the problem right now because of all this fresh public attention.
We reached out to Bandai Namco earlier this week to see if it had any response to these Souls-related security concerns and have not yet heard back from the company.
Another security modder fears the Elden Ring release day may be “a hellscape” due to the re-emergence and exploitation of known security issues from previous games.