Remember that Dark Souls exploit that caused a lot of trouble for PC users? Well, it turns out that Bandai Namco might have been aware of this issue for quite some time. According to a new report from VGC, multiple individuals have discovered the exploit as early as 2019. This means that Bandai Namco might've been aware of the issue for a long time... So, a repeat of the GOG Galaxy situation.
First off, an update on the current situation surrounding the PC versions of Dark Souls, Dark Souls II, and Dark Souls III. As of the writing of this article, Dark Souls' PC servers have remained offline to fix the exploit. For those in need of a refresher, this exploit allows players to introduce malicious code into the user's PC through the game's Invaders feature.
One of the people behind the discovery of the vulnerability told VGC that they had made Bandai Namco aware of the issue over a month earlier. As is common of cybersecurity incidents of this caliber, neither the publisher nor developer FromSoft acted upon the warning until it was made public. In other words, when the exploit was already used for malicious purposes and it was too late to subtly fix the issue.
On a more concerning note, VGC also reported that the publisher of the series has been notified of another RCE as far back as 2020. Even more worrying is the fact that the issue has remained unfixed.
Another member of the Dark Souls community told VGC they made the games’ publisher aware of a second, yet to be made public RCE as far back as in 2020 and that it remains unfixed.
The person who discovered the latest RCE alleges that there are serious issues with all of the Souls games’ shared network infrastructure and said they believe it’s “inevitable” that Elden Ring will feature many of the same exploits, which will “probably be ported without issues and used on release by malicious cheaters.”
The publication was told that Dark Souls III itself had over 100 cheats, hacks, and security vulnerabilities. Of course, the majority affected PC players. Not only that, but the collection of problems range from causing the game to crash, corrupt save file data, and of course, RCE vulnerabilities.
VGC talked with Reddit user LukeYui regarding the current incident. The user has talked about how they have made numerous reports about cheats and vulnerabilities in Dark Souls III to Bandai Namco. One of the most severe being the New Game+ exploit which was first reported by LukeYui in 2019. The exploit allows players to manipulate save file flags of the host and joined players, forcing them into an NG+ cycle and potentially corrupting save files in the process.
Alarmingly, LukeYui also claimed that while they can’t go into specifics as to avoid giving away the exploit details, the latest RCE could be used against console players without the attacker needing a jailbroken console.
Of course, we wouldn't be talking about this issue without explaining how it's going to affect the hotly anticipated title Elden Ring. LukeYui explained that Elden Ring will have the exact same problem.
I’ve had the chance to see code from the closed network test and can already tell you that there are a lot of crashes and vulnerabilities in Elden Ring’s netcode, the exact same ones as in Dark Souls III actually! So, I suspect it’s going to take five minutes for cheaters from Dark Souls III to port their scripts to Elden Ring and make release day a hellscape.
Now, some users might bring up the fact that the Elden Ring EULA talks about using Easy Anti-Cheat. LukeYui gave some insight on this manner, citing that while EAC will stop inexperienced cheaters, it won't stop people who have experience developing cheat tools. Additionally, should the player have some form of anti-cheat solution provided by the community, they risk getting their account banned by Bandai Namco themselves.
Why is that? Well, it turns out that Bandai Namco heavily discourages using protection mods for their games. Regardless of the motive behind using them, protection mods violate Bamco's EULA regarding the use of external tools and programs. This leaves players in a position where they’re faced with two choices: Risk getting banned by a cheater, or risk getting banned by using an external tool to protect against cheaters.
Nearly a week after From Software publicly acknowledged the latest RCE issue, the person that discovered it says they haven’t received further correspondence on how or when it will be addressed.
Right now I’m waiting on FromSoftware to announce their plans regarding the servers: are they staying down, are they working on a fix, etc. My original plan was to fully disclose the exploit details after I could confirm the fix or server end of life was declared, but it’s already been a few days and no news. I’m thinking about announcing a deadline after which I will make exploit details public no matter what.
We'll continue to update you on the details regarding the exploit and other Elden Ring news as the release date of the game comes closer.