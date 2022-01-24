A security vulnerability in FromSoftware’s hit RPG Dark Souls 3 could allow hackers to take control of a player’s PCs and steal their data.

The issue was first made public during a Twitch live stream on Friday, 21 January 2022.

During a gameplay session, the streamer was interrupted by an intruder who launched Microsoft PowerShell on his computer with a text-to-speech script popping up on his screen and insulting him.

Soon after that, a post on the subreddit of one of FromSoftware’s much-anticipated upcoming games, Elden Ring, revealed the flaw was a remote code execution (RCE) vulnerability that potentially lets malicious actors run arbitrary code on a target’s system without their permission.

“This is a serious exploit that can cause lasting damage to your computer and all of its contents,” the post stated.

The damaging capabilities it could give an attacker include bricking a user’s computer, stealing login details for accounts, and deploying malware like Bitcoin miners.

A day later, publisher Bandai Namco thanked users for reporting the issue and said it had informed a relevant internal team about it to take action.

The Dark Souls 3, Dark Souls 2, and Dark Souls: Remastered online servers were subsequently taken down on Sunday.

PvP servers for Dark Souls 3, Dark Souls 2, and Dark Souls: Remastered have been temporarily deactivated to allow the team to investigate recent reports of an issue with online services.

Servers for Dark Souls: PtDE will join them shortly. We apologize for this inconvenience. — Dark Souls (@DarkSoulsGame) January 23, 2022

In addition to staying offline while playing the game, members of the Souls Reddit community recommended that players install Blue Sentinel mod, an add-on modification that helps detect hacking.

Although it initially did not protect against the vulnerability, it has been updated to detect the RCE exploit.

The mod makers, Sfix, warned the issue was also found in the code for the data mined version of Elden Ring, which is set to release on 24 February 2022.

However, Sfix developer Dalvik clarified that the user who initially discovered vulnerability was the only one who knew how it worked. It had not been leaked on the Internet as some users had claimed.

Dalvik said the intrusion of The Grim Sleeper’s stream only came after it was reported directly to FromSoftware through multiple channels. However, the developer supposedly ignored the reports.

“In an attempt to raise awareness to it so that it would be fixed, he did a live benign showcase on stream,” Dalvik said.

“Only because the person who has it isn’t malicious and actually understands the severity of what he discovered, it isn’t likely to damage your computer,” he added.