Feeds

Nintendo downplays Wii U 'hidden control panel' hack fears

Miiverse admin board just-a mock-a-up, says Mario

Top 5 reasons to deploy VMware with Tegile

A video games fan claims he accidentally hacked into the online environment (Miiverse) of Nintendo's latest game console, the Wii U.

A gamer called Trike claims he stumbled across a secret debug menu in the Miiverse that gave him access to a list of administrators and a control panel, hours after the US release of the console on Sunday. Snapshots posted by the gamer suggest he might have inadvertently scored access to controls that would have allowed him to delete access rights to Japanese administrators of the network or re-issue passwords.

However Nintendo said that the supposed "debug menu" was actually a "mock-up", not a live system.

"It has come to our attention that some people were able to access a mock up menu on Miiverse following the launch of Wii U in the US," Nintendo told Games Industry International. "Please note that this was only a mock up menu and has now been removed and is not accessible."

Trike said he made no attempt to abuse the supposed super-user rights he had inadvertently stumbled upon. Significantly, he also claims to have come across private message and pre-launch user forums in the Miiverse.

"At first it asked me to sign in, because my login information didn't match," Trike explained. "Then I pressed a button and it sent me to a list of admins anyway. They had buttons in the same row as the names, and I could "regenerate password" or "Delete Admin" or something along those lines. I didn't do it it because I didn't want to risk getting my god damn Wii U banned on day 1."

Trike asked for help in passing on his surprise finding to Nintendo "directly without going through their customer service email crap", as he put it. The gamer reported his discovery in a posts to the NeoGAF gaming forum, alongside snapshots taken from a mobile phone that appear to depict Miiverse control panels, as evidence of the apparent (since denied) security breach.

The gamer further claimed he was able to view private messages sent by other online gamers as well as hidden forums intended for discussion of upcoming (unannounced) games such as Yoshi's Island Wii U.

Feedback to these posts was largely along the lines of "Delete everything, make yourself an admin and RULE THE MIIVERSE", to quote one post.

Chris Boyd (AKA PaperGhost), senior threat researcher at GFI Software, and an expert in gaming security, played down the practical significance of the incident to game fans.

"On this occasion it's probably nothing to worry about, although it's unusual for such a menu to be so easily accessible - typically mock ups are kept on their own private network (sometimes requiring development kits to operate), or offline altogether<" Boyd told El Reg.

Nintendo's US tentacle announced it was running maintenance on its network on Monday morning, before later advising customers not to turn off their console during the update process.

So many Miis have jumped on Miiverse that some may be having problems connecting to the service. We are in the engine room getting it fixed!

This Twitter post makes no mention of removing access to the mock up menu but access to this facility was blocked following the update.

The security of gaming networks has become a bigger issue since the Playstation Network hack that spilled names, addresses, email addresses, birthdays and user login credentials of million of gamers last year. PSN was taken offline for more than a month to sort of the resulting mess.

The Nintendo breach is small beer by comparison, notes Graham Cluley of Sophos in a blog post on the apparent Miiverse snafu.

"Is the apparent security snafu damaging to Nintendo? Probably not. They appear to have resolved the issue quickly, and there is no suggestion that sensitive information was stolen from users, unlike last year's Sony PlayStation network hack where hackers stole the personal data of millions of people," Cluley writes. ®

Intelligent flash storage arrays

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.