Hacking 3DS/Nintendo, HTTPS, and a new POODLE exploit...usable?

planetarian

planetarian

Well-Known Member
OP
Member
Level 4
Joined
Aug 5, 2014
Messages
143
Trophies
0
Age
37
XP
384
Country
United States
Edit: the 3DS service URLs are not vulnerable to this attack; nothing to see here.


OP:
So, this was discovered a few days ago:

http://arstechnica.com/security/201...sses-tls-crypto-bites-10-percent-of-websites/

I did a quick check and Nintendo.com is apparently vulnerable to this:
https://www.ssllabs.com/ssltest/analyze.html?d=nintendo.com
... which likely means that other Nintendo related domains (including those used by the 3DS for updates/etc) are vulnerable as well.

So, I'm not 100% familiar with SSL mechanisms and HTTPS encryption in general, but it does seem as though Ninty encrypting all of their communications has been one of the numerous roadblocks this community has had to deal with. Given my lack of familiarity on the subject, I hope to pose the question to the more knowledgeable members of the community before this vulnerability is plugged: Do you think this is exploitable for us in any way?
 
  • Like
Reactions: Margen67
Y

yuyuyup

Well-Known Member
Member
Level 12
Joined
Apr 30, 2006
Messages
3,810
Trophies
2
Location
USA MTN timezone
Website
Visit site
XP
3,291
Country
United States
POODLE exploit confirmed
eG42OTk1MTI=_o_nintendogs-cats-toy-poodle-new-friends-3d-3ds-rom-.jpg
 
  • Like
Reactions: filfat, Sirius64, Margen67 and 5 others
Celice

Celice

Well-Known Member
Member
Level 5
Joined
Jan 1, 2008
Messages
1,920
Trophies
1
XP
628
Country
United States
Pippin666 said:
The browser of the 3Ds is sandboxed right ??

Pip'
Click to expand...
So was the WiiU, but that didn't stop arbitrary memory changes in games, as as far as Mr. Bean et. all suggest, arbitrary file loading, from resource swapping to full-on back-up loading.

If this is a real exploit, the scene members will look into it, and we'll know something in the coming weeks.
 
  • Like
Reactions: Margen67
planetarian

planetarian

Well-Known Member
OP
Member
Level 4
Joined
Aug 5, 2014
Messages
143
Trophies
0
Age
37
XP
384
Country
United States
PhoenixWrightX : Please read more carefully, I wasn't saying that. I was wondering if the actual services used by the 3DS were vulnerable to the same exploit. Obviously Nintendo.com is meaningless to our efforts, but if one domain under a given company is vulnerable, others often are as well. That ended up not being the case here, but it was worth checking out.

Oishikatta : I expected as much; I was wondering if the ability to analyze communication directly might be of some utility.

einstein95 : Alrighty, that puts this subject to rest quite clearly. I find it rather unusual that they seemingly have different HTTPS configurations between their services, but props to them for keeping the actually important stuff more secure (though I admit I am somewhat baffled that they don't have a trusted SSL certificate...)
 
planetarian

planetarian

Well-Known Member
OP
Member
Level 4
Joined
Aug 5, 2014
Messages
143
Trophies
0
Age
37
XP
384
Country
United States
Friendsxix : this is actually a newly-discovered vulnerability regarding TLS, rather than SSLv3. TLS is supposed to have restrictions on whitespace (which is what the POODLE attack utilizes), but there are some servers that do not enforce these checks. Nintendo.com is still vulnerable, but the URLs used by 3DS services are not.
 
Friendsxix

Friendsxix

Introspective Potato
Member
Level 11
Joined
May 6, 2008
Messages
266
Trophies
1
Location
Best Hemisphere
XP
2,721
Country
United States
planetarian said:
Friendsxix : this is actually a newly-discovered vulnerability regarding TLS, rather than SSLv3. TLS is supposed to have restrictions on whitespace (which is what the POODLE attack utilizes), but there are some servers that do not enforce these checks. Nintendo.com is still vulnerable, but the URLs used by 3DS services are not.
Click to expand...
Check the page again: https://www.ssllabs.com/ssltest/analyze.html?d=nintendo.com
It says it is not vulnerable. >.>
Edit: Though it does say "Timeout" for "POODLE (TLS)," I swear earlier it said "POODLE (SSLv3)" was vulnerable. (When your thread was first made.)

EDIT#3: Retracting Edit#2 until I check it again. -.-

EDIT#4: Okay, clicked the wrong link in my history before, so edit 2 was wrong. However, just for fun, https://www.ssllabs.com/ssltest/analyze.html?d=npdl.cdn.nintendowifi.net is vulnerable. ("POODLE (SSLv3)")
 
planetarian

planetarian

Well-Known Member
OP
Member
Level 4
Joined
Aug 5, 2014
Messages
143
Trophies
0
Age
37
XP
384
Country
United States
Dunno. It's said this regarding nintendo.com (which, of course, is useless) for me the whole time:
3eca286244a2bdee4aa3778b8e5cea9f.png


And... once again I remain baffled at how inconsistent their HTTPS configuration is. lol
 
  • Like
Reactions: Friendsxix

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Hardware  New Nintendo 3DS XL Louvre

What's the best 3DS emulator (especially after Citra's shutdown)?

can't download system files on citra because im "not connected to the internet"

So what's the current state of hacking and freeshop?

gacube emeleter

Hacking Homebrew  Animal Crossing New Leaf (ACNL) help: data corrupt??

Hacking  Can you install a legit cia and keep the game? + Question about 3ds modding

Pokemon Ultra Sun/Moon from piracy site doesn't work

General chit-chat
Help Users
  • K3Nv2 @ K3Nv2:
    Anyone wanna play with my joydock
  • BigOnYa @ BigOnYa:
    Biomutant looks cool tho, may have to try that
  • Quincy @ Quincy:
    Usually when such a big title leaks the Temp will be the first to report about it (going off of historical reports here, Pokemon SV being the latest one I can recall seeing pop up here)
  • K3Nv2 @ K3Nv2:
    I still like how a freaking mp3 file hacks webos all that security defeated by text yet again
  • BigOnYa @ BigOnYa:
    They have simulators for everything nowdays, cray cray. How about a sim that shows you playing the Switch.
  • K3Nv2 @ K3Nv2:
    That's called yuzu
     +1
  • K3Nv2 @ K3Nv2:
    https://www.verizon.com/home/intern...0a82b82a&vendorid=CJM&PID=552179&AID=11365093 can I cancel and keep the switch lol
     +1
  • BigOnYa @ BigOnYa:
    I want a 120hz 4k tv but crazy how more expensive the 120hz over the 60hz are. Or even more crazy is the price of 8k's.
  • K3Nv2 @ K3Nv2:
    No real point since movies are 30fps
  • BigOnYa @ BigOnYa:
    Not a big movie buff, more of a gamer tbh. And Series X is 120hz 8k ready, but yea only 120hz 4k games out right now, but thinking of in the future.
  • K3Nv2 @ K3Nv2:
    Mostly why you never see TV manufacturers going post 60hz
  • BigOnYa @ BigOnYa:
    I only watch tv when i goto bed, it puts me to sleep, and I have a nas drive filled w my fav shows so i can watch them in order, commercial free. I usually watch Married w Children, or South Park
  • K3Nv2 @ K3Nv2:
    Stremio ruined my need for nas
  • BigOnYa @ BigOnYa:
    I stream from Nas to firestick, one on every tv, and use Kodi. I'm happy w it, plays everything. (I pirate/torrent shows/movies on pc, and put on nas)
  • K3Nv2 @ K3Nv2:
    Kodi repost are still pretty popular
  • BigOnYa @ BigOnYa:
    What the hell is Kodi reposts? what do you mean, or "Wut?" -xdqwerty
  • K3Nv2 @ K3Nv2:
    Google them basically web crawlers to movie sites
  • BigOnYa @ BigOnYa:
    oh you mean the 3rd party apps on Kodi, yea i know what you mean, yea there are still a few cool ones, in fact watched the new planet of the apes movie other night w wifey thru one, was good pic surprisingly, not a cam
  • K3Nv2 @ K3Nv2:
    https://www.aliexpress.us/item/3256...acdffdfd18f8a017742186da306980d9cf365d&gclid= lol ali
     +1
  • BigOnYa @ BigOnYa:
    Damn, only $2.06 and free shipping. Gotta cost more for them to ship than $2.06
  • BigOnYa @ BigOnYa:
    I got my Dad a firestick for Xmas and showed him those 3rd party sites on Kodi, he loves it, all he watches anymore. He said he has got 3 letters from AT&T already about pirating, but he says f them, let them shut my internet off (He wants out of his AT&T contract anyways)
  • K3Nv2 @ K3Nv2:
    That's where stremio comes to play never got a letter about it
  • BigOnYa @ BigOnYa:
    I just use a VPN, even give him my login and password so can use it also, and he refuses, he's funny.
  • BigOnYa @ BigOnYa:
    I had to find and get him an old style flip phone even without text, cause thats what he wanted. No text, no internet, only phone calls. Old, old school.
  • K3Nv2 @ K3Nv2:
    https://youtu.be/z9E_uv5IT-o?si=0qMdVEnRK8mmclzS
    K3Nv2 @ K3Nv2: https://youtu.be/z9E_uv5IT-o?si=0qMdVEnRK8mmclzS