Nintendo’s NNID Hack: The Impact of Authentication Flaws
16 June 2020
The entire games industry and news media set have been talking this week about the recent Nintendo's NNID hack. With the confirmed number of breaches now over 300,000, as well as potentially a similarly large number of account hijackings, we think now is an ideal time to give a security viewpoint on what happened, how it happened, and what can happen as a result of such flaws in a game's code and security systems.
Often when attacks of this nature happen, regardless of what industry they may happen in (let's be clear, these kinds of hacks aren't unique to the games industry), we get a lot of sensationalist headlines, facts, and figures reported, but we don't get that much detail on the technical side of things. Are hacks like this common? Simple to fix? Avoidable? How can we prevent them in future while helping players and stakeholders feel safe?
Not all hacks are created equal, there are countless ways to hack a game or app infrastructure. When major breaches like these happen, we believe it's just as important to talk tech as it is to report the news so that we can be more prepared for the next potential attack.
Let's start simple. What happened with the Nintendo Network ID hack?
The Nintendo hack happened because of what is known as an authentication flaw. Authentication flaws can happen when an application's infrastructure doesn't perform reasonable checks on the origin of a request for access to an account or system. In the specific case of Nintendo, checks weren't performed when users attempted to link accounts to the Network ID of another existing player. If the person trying to access the account simply had the ID number of the Nintendo Network account, they were able to access the existing player's account through their own separate account.
To put this in a real-world context, this isn't dissimilar to trying to enter a VIP section at a concert or similar event, correctly quoting a name on a bouncer's guestlist and saying 'that's me'. If the bouncer isn't instructed to check for ID or perform any kind of secondary authentication, your word on knowing the name on the list alone is good enough.
How did it happen?
There are two factors that have to be in play to make an attack like this possible. For the first one, on the most fundamental level, the hacker will need access to another player's network ID or credential.
This is where you might well be asking 'Okay, so hackers crashed the VIP area, but how did they get the bouncer's list?'. Unfortunately, this is almost as simple to navigate as the authentication flaw itself. By calling the right API endpoints, and knowing where to look, a hacker can access a user's ID quite easily. This gives us the guest list.
This leads us to the second factor. Once a hacker has the guest list, how do they know that they can use it to get into the party? Again, this is sadly simpler than it should be. They ask. 90% of hacks are discovered not because a hacker is looking for something specific but because they are looking for something. In a lot of cases, trial and error are the main tools in discovering a vulnerability in a game or app's security.
How did the hack affect players?
Players were affected to varying degrees. We know that over 300,000 accounts were accessed throughout the period of the hack. The extent of how much information and activity was processed in each account is unclear. We do know, because hackers were able to access the accounts, that they were able to gain access to the games purchased on and linked to the given Nintendo Network accounts. In addition to this, hackers were also able to process payments within the Nintendo platform using the existing players' PayPal and credit card information or funds already allocated to the player's Nintendo account (specific reports are linked to the purchase of V-Bucks, a virtual currency used in battle royale game Fortnite). Player private data including name, email address, location, and date of birth were also accessible.
How do we prepare for authentication flaws?
The end goal of someone attempting to exploit an authentication flaw is always focused on access and authorisation. Put simply, they take advantage of what an account is 'allowed' to do on a platform (whether an account is linked to a moderator, administrator, or standard user for example). They target what roles and access a person has to a network given the status of their account and manipulate it accordingly. As seen from the fallout of the Nintendo hack above, the scope of what a hacker can do when they gain access to an account via an authentication flaw is pretty varied.
Luckily, taking preventative measures against authentication flaws is very simple. Nine times out of ten, these measures can be as simple as just telling the 'bouncer' to ask for proper identification (two-step verification, email confirmation, passwords, etc.) from those trying to get into the party. By including the proper cyber and digital security measures into a game's development cycle, or by leveraging the services of a qualified penetration testing team later in the cycle, the potential for these kinds of hacks to happen can be almost completely eliminated. Having someone who knows where to look before an issue ever arises is key in protecting a game, its reputation, and its players.
We feel it's important in all this not to single out Nintendo as unique in falling prey to an authentication hack. In our experience, authentication and authorisation flaws are hugely common in the gaming industry at large and are often among the most common flaws we discover while performing penetration tests on games and networks. This isn't the first global scale authentication hack and it won't be the last. While it is a simple and easily-avoidable event, we think the most appropriate question to ask in the fallout of this hack isn't 'What did Nintendo overlook that led to this happening?' but 'Now that I've seen this happen, what could I be overlooking in my game?'