Nintendo Switch ships with unpatched 6-month-old WebKit vulnerabilities

Enlarge A proof-of-concept that exploits WebKit vulnerabilities on Nintendo’s Switch.

Nintendo’s Switch has been out for almost two weeks, which of course means that efforts to hack it are well underway. One developer, who goes by qwertyoruiop on Twitter, has demonstrated that the console ships with months-old bugs in its WebKit browser engine. These bugs allow for arbitrary code execution within the browser. A proof-of-concept explainer video was posted here.

The potential impact of these vulnerabilities for Switch users is low. A Switch isn’t going to have the same amount of sensitive data on it that an iPhone or iPad can, and there are way fewer Switches out there than iDevices. Right now, the Switch also doesn’t include a standalone Internet browser, though WebKit is present on the system for logging into public Wi-Fi hotspots, and, with some cajoling, you can use it to browse your Facebook feed.

The exploit could potentially open the door for jailbreaking and running homebrew software on the Switch, but, as of this writing, the exploit doesn’t look like it provides kernel access. The developer who discovered the exploit himself says that the vulnerability is just a “starting point.”

In any case, the presence of six-month-old software bugs suggests that Nintendo’s software development practices have room for improvement. When Nintendo uses well-supported software projects like WebKit and FreeBSD to power the Switch, that’s generally a good thing. But it also means that the company needs to stay on top of upstream patches to keep its console and its users safe. Once the always-hectic launch period is behind us, hopefully Nintendo can do a better job keeping current.