Nintendo has taken both games offline as of Thursday when it issued a statement that it had discovered vulnerabilities in them. It is believed the exploit could allow someone to take over another’s console simply by playing against them online. Nintendo has said it does not know when it will resume online play functionality for either yet. While the Wii U may not have been Nintendo’s biggest seller both Mario Kart 8 and Splatoon have each seen millions of units sold.
Nintendo Statement:
“This network service is currently unavailable due to urgent maintenance required to fix a vulnerability related to online play.
We do not yet have information on when network services can be restored. We apologize for any inconvenience caused.“
VGC reports that Nintendo is likely working on eliminating an exploit called ENLBufferPwn. Known Nintendo data miner OatmealDome posted on their social media page about the exploit and further explained it had previously been patched out of Mario Kart 7, and a number of other games, for the Nintendo Switch and 3DS, but not these games.
The security vulnerability is almost certainly ENLBufferPwn, which could allow an attacker to take over your console just by connecting to them online.
— OatmealDome (@OatmealDome) March 3, 2023
This exploit affected many of Nintendo’s games on the Switch, along with Mario Kart 7 on the 3DS.https://t.co/GWR6alQVy4
An attacker’s control is so thorough in that they could potentially force the victim’s console to install custom firmware. After which the attacker essentially has complete control over the console and can steal all data residing on it as well as control the device’s cameras and microphones. Currently, it is not known when online play functionality for Mario Kart 8 and Splatoon will resume.
Here’s hoping that 2023 is a better year for Nintendo in regard to security and that this is not the beginning of a series of instances like what happened in 2020 when company data reportedly became compromised multiple times. In those cases, details regarding past hardware specifications along with data from over 300,000 user accounts, were said to have been leaked.