A startling discovery took place on Friday, after a streamer was a victim of what appears to be a Remote Code Execution (RCE) attack in Dark Souls 3 live on stream. In the clip, the streamer experiences a hack that can be seen crashing his game, after which Powershell reportedly opened up and ran a script that trash-talked the player using Microsoft text-to-speech.
According to a message linked in the SpeedSouls Discord server, only one non-malicious person to public knowledge currently knows how to execute this code, and they are working to bring attention to the developers regarding this issue. The hack has been demonstrated but is not widespread yet.
In that message referenced in the server, a user who goes by the name Princess Slut stated: “A person who isn’t malicious discovered a new RCE method, and tried to contact From about it through multiple channels. They ignored him. In an attempt to raise awareness to it so that it would be fixed (as this is a SEVERE security flaw), he did a live benign showcase on stream. It didn’t leak. Nobody has it beside him.”
Princess Slut continued: “He is in contact with sfix so we can fix it on [Blue Sentinel] but this isn’t ideal, as the base product is insecure. We’re also thinking about Elden Ring as it will have that exploit as well. The attempts to get From’s attention and get an official fix for their exploits is what drives most of us.”
An IT specialist I talked to about the potential for this type of hack said: “This is literally the doomsday scenario, someone could completely destroy your computer beyond repair with this exploit… If people can run code on your computer, it is over, they can do anything they want.”
Among the things that hackers could carry out with an RCE exploit are:
- Bricking your PC entirely
- Stealing sensitive data and passwords stored on your PC
- Executing malware on your PC
- Using your PC to mine crypto-currency
- Pretty much anything you can think of
We don’t know the extent of the RCE, is it probable that they can elevate permissions on the PC. It isn’t confirmed they can, but it is likely, according to experts I talked to about this issue.
The same hack could also be possible in Elden Ring as well, since it uses the Dark Souls 3 engine. Elden Ring is not out yet, but if it releases without a fix, there is the potential that new players of of the game could face risk of serious damage to their computer if they play online, since a hacker could in execute destructive code on your PC.
As a result of this hack, you should not play Dark Souls 3 or Elden Ring online until there is an official fix is pushed by the developers. As of now, there is no known way to avoid the hack if you do play those games online. According to reports from experts familiar with the situation, the Blue Sentinel Mod is not able to protect you currently. They are working to add those protections, but even then, the base game is not safe and there is no guarantee that Blue Sentinel will be safe.