Correction: Researcher Runa Sandvik said they found that an 'OK' dialogue box in a login user interface on the Nintendo Switch lit up when a user entered only part of their password, and that this is unusual behaviour. However, the dialogue box actually changes when a user enters a series of characters that meet Nintendo's minimum requirements for a password. Those are the password being 8 characters in length, and containing at least two of the following: lowercase or uppercase letters, numbers, and punctuation. The password also cannot have the same character more than twice in a row. Motherboard verified Sandvik's interpretation is not correct by typing in a random series of digits that aren't a real password but which do meet those requirements; the 'OK' box lit up. This points to a quirk in the Switch's UI, but not necessarily a security vulnerability. The original article follows below. Motherboard regrets the error.
Over the past few weeks, hackers breached tens of thousands of Nintendo accounts. In some cases, hackers bought digital products such as in-game currency with victims' linked payment information.
Now, a security researcher has found an odd issue with how the Nintendo Switch console handles login credentials, potentially making it easier for hackers to figure out peoples' passwords, and raising questions about how Nintendo is storing passwords
The issue revolves around how users log into the eShop from a Nintendo Switch. As security researcher Runa Sandvik explained it, when logging into the eShop before typing in a password, the 'OK' dialogue box is greyed out. When a user enters their correct password, it lights up and lets the user log in. Expected behaviour, so far.
Do you work at Nintendo, did you used to, or do you know anything else about the company? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
But Sandvik found that the 'OK' box also lights up if the user only enters the first eight characters of their password. The eShop won't let the user actually login—they still need to enter their complete password—but it does provide visual feedback to someone trying to guess a password that they're on the right track. Essentially, this could give a hacker a better chance of figuring out your password if they only have to determine what comes after the eighth character, although of course they would still need to get that first section too.
"Makes it easier when you signal whether the first 8 are correct," Sandvik said.
Beyond potentially providing hackers clues on whether they have part of someone's password, Nintendo being able to display this information raises several questions around how the company is protecting user's passwords in the first place.
Typically, websites and services will 'hash' a user's password, and store that rather than the plaintext password itself. A hash is essentially a one-way, cryptographic fingerprint of a piece of data. A user will type their password into the login box, the system will hash that input, and then compare it to the hash the website has on file to see if they match. If they do, the system logs the user in.
But, that would not necessarily work if Nintendo is able to tell a user that they've successfully entered the first eight characters of their password. Is Nintendo creating a hash of the first eight characters as well as another hash of the full password? Is Nintendo storing the first eight characters in plaintext?
"Weird," Per Thorsheim, a password security expert and founder of the PasswordsCon conference told Motherboard in an online chat. "Good UX [user experience] may have been a point, but it might weaken or even compromise the security," he added.
Nintendo acknowledged a request for comment but did not answer any questions on how it stores passwords.
Subscribe to our cybersecurity podcast, CYBER.