Fraud Management & Cybercrime , Incident & Breach Response , Security Operations

Dark Souls 3 Video Game Reportedly Has Exploitable Flaw

Vulnerability Could Allow Takeover of a Player's System; Servers Taken Offline
Dark Souls 3 Video Game Reportedly Has Exploitable Flaw
Artist rendering of scenes from Dark Souls III (Photo:Natty Dread, via Flickr/CC)

Stay tuned for updates on this developing story.

See Also: 2018 Banking Threat Landscape: An Inside Look at How Cybercriminals Target Financial Services

A community of gamers was alarmed by a remote code execution flaw discovered over the weekend in the popular gaming series Dark Souls. While Bandai Namco Entertainment Inc., the developer of the game, has not formally confirmed details of the flaw, the official Dark Souls Twitter confirmed that servers for Dark Souls, Dark Souls 2, Dark Souls 3 and Dark Souls: Prepare to Die had been "temporarily deactivated" to investigate what the developers are calling "reports of an issue with online services."

A game developer reportedly discovered the exploit and reported it to Bandai Namco Entertainment. A series of posts to Reddit and other online forums have led to wider discussions about the vulnerability, security firm Kaspersky reports in a blog post.

Dark Souls is a popular third-person role-playing game, or RPG, and can be played on consoles such as PlayStation and Xbox, and PCs.

Bandai Namco Entertainment didn't immediately respond to Information Security Media Group's request for technical details about the vulnerability.

Details of the RCE Flaw

At this time, the vulnerability has not been officially cataloged, although the subject of who discovered the exploit is widely being discussed on Reddit, where users are also speculating that a non-malicious person was responsible.

The RCE flaw, which gamers are discussing online, has been demonstrated by a Twitch streamer known as The__Grim__Sleeper. As he was livestreaming game play, suddenly his game crashed and Microsoft PowerShell launched. From there, an unknown operator took over control of the gamer's account and began making comments through Windows Narrator. Allegedly, the exploit has not been used by malicious hackers in the wild and was discovered by a nonmalicious party that has been trying to bring awareness to unsafe features in the Dark Souls series, according to a post in the SpeedSoul's Discord.

Some researchers, however, are questioning the manner in which the public has been alerted to the exploit. To date, it has not been confirmed whether the vulnerability was previously divulged to Bandai Namco Entertainment before leaking it to the public.

"Despite the ethically dubious way of drawing attention to the problem, the person behind the attack apparently was not trying to cause any real harm," says Kaspersky's blog.

A Reddit moderator posted more information about the RCE flaw, which he said had been patched by Blue Sentinel, which is a downloadable, anti-cheat extension tool.

Gamers on the Elden Ring Reddit threat, r/Eldenring, said that the RCE flaw that had been reported in the Dark Souls games could allegedly be exploited in this game series as well. In response to a post, Bandai Namco Entertainment wrote: "Thanks very much for the ping, a report on this topic was submitted to the relevant internal teams earlier today, the information is much appreciated!"

Gamers are being advised by Reddit moderators to take the game offline. Reddit users discussing the vulnerability online say that the RCE vulnerability could lead to a malicious hacker stealing sensitive information or installing malware.

While not much is known about this flaw yet, this would not be the first time a critical flaw was found in a popular video game. Minecraft, for example, was where a critical vulnerability was first discovered in the widely used Adobe Log4j logging software. That flaw, designated CVE-2021-44228 and also known as Log4Shell, ultimately turned out to be present in thousands of applications that use the Log4j software, including Minecraft.


About the Author

Devon Warren-Kachelein

Devon Warren-Kachelein

Former Staff Writer, ISMG

Warren-Kachelein began her information security journey as a multimedia journalist for SecureWorld, a Portland, Oregon-based cybersecurity events and media group. There she covered topics ranging from government policy to nation-states, as well as topics related to diversity and security awareness. She began her career reporting news for a Southern California-based paper called The Log and also contributed to tech media company Digital Trends.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.