All PC versions of the Dark Souls games will remain offline for the foreseeable future, according to a new tweet from series publisher Bandai Namco, in order to fix at least one major security vulnerability. Further, the developers are working to ensure that the same serious vulnerability does not persist in FromSoftware’s upcoming game Elden Ring, due out on February 25.
While that may sound like bad news, some players are actually pleased that FromSoftware and Bandai Namco are finally taking time to fix at least some of their games’ most dangerous exploits.
The publisher took all its Souls-series PC game servers offline on January 23 “to allow the team to investigate recent reports of an issue with online services.” This was an oblique way of referring to the numerous security vulnerabilities a number of technically gifted players had been trying to get the developers to acknowledge and fix, some for years. (Note: It appears that the lion’s share of the current exploits only affect PC players. Servers for all console versions of the games remain up.)
The most serious reported security vulnerabilities, referred to as remote code execution (RCE) exploits, could allow hackers to take full control of players’ PCs. The story finally broke out into the open about two weeks ago when a person with knowledge of the most recently discovered RCE exploit, frustrated over Bandai Namco’s reticence to fix the issue, demonstrated the exploit live on an unwitting Twitch streamer’s broadcast.
In new reporting from Video Games Chronicle, one member of the Dark Souls community asserts that there are over 100 cheats and security vulnerabilities in Dark Souls III that affect PC players, and the source states that the presence of these serious problems in Elden Ring is “inevitable” due to the Souls series’ shared network infrastructure.
“While it’s not much, I have modded a few other games with an online component and nothing came close to how ‘broken’ Souls networking is,” the player who found the most recent RCE exploit told VGC.
Back in December of last year, that player, who wishes to remain anonymous, reached out to Bandai Namco to alert it of the severe risk posed by the new RCE exploit, going so far as to provide two PDFs demonstrating the RCE and suggesting how to fix it. According to VGC, a representative from the Bandai Namco support team acknowledged receipt of the emails, saying the information was “sent to the dedicated teams so they can investigate and take the necessary measures.”
But after over a month without further action, the player decided to take matters into their own hands with that livestream stunt, with an eye toward bringing public attention to the severe flaw and hopefully lighting a bonfire under Bandai Namco’s ass.
“It really seems like the online is ‘pasted’ over a single-player game and no thoughts are given about security,” the exploit-finder told VGC. “It’s staggering how many game structs are memory-mapped into network packets and sent to other players, then used by the receiving player’s game directly. There are almost no data sanity checks.”
That doesn’t bode well for PC Elden Ring being safe to play online, does it? So you can see why some players are relieved that FromSoftware and Bandai Namco are finally taking action on an unspecified number of the reported issues.
Kotaku reached out to the publisher for comment.
Elden Ring comes out on February 25 for Xbox One, Xbox Series X/S, PlayStation 4, PlayStation 5, and PC.