In December last year, Nintendo released a remaster update for its out-of-date 3DS messaging app Swapnote.
It had a lot of fans wondering what was really going on at the time, as it didn’t seem like much of a remaster at all. The Nintendo patch notes provided with this software update stated it “fixed some problems” but as usual, didn’t elaborate.
It turns out the story goes a little deeper, with dataminer ‘OatmealDome’ relaying how the note sharing service actually had a vulnerability in the message parser which was able to be exploited over StreetPass – in turn allowing an “attacker” to run any code they wanted.
Wondering why Swapnote for the 3DS was updated last month? This is (likely) why.
A vulnerability in the message parser that could be exploited over StreetPass was fixed. It would allow an attacker to run any code they wanted.
— OatmealDome (@OatmealDome) January 18, 2021
The individual behind this discovery ‘mrnbayoh‘ received $1,682 USD from Nintendo (via HackerOne) as a reward. So, there you go – this “likely” explains why Nintendo rolled out an update years after it disabled the app’s primary feature.
In case you don’t remember, this free service was effectively discontinued back in 2013 when Nintendo found out users were exchanging offensive material. It then disabled the online functionality, limiting it to local wireless.