Some Nintendo Switch owners made an unpleasant discovery this week: Pornographic images are appearing in Super Mario Odyssey, the result of a hack that lets Switch owners add (and upload) custom avatars to their profiles.
The hack does not appear to be widespread, but a user on Reddit posted photos of that kind of indecent content on the Nintendo Switch subreddit, warning parents to disable online connectivity on the console.
For now, the spread of pornographic images appears limited to Super Mario Odyssey and that game’s Luigi’s Balloon World mode. In Luigi’s Balloon World, which was released as a free update earlier this year, players are tasked with hunting down balloons that other players have hidden. Those balloons display the online avatar of the person who hid them. Normally, those avatars are limited to harmless images of Nintendo characters and Miis, the avatar system that Nintendo introduced with the Wii.
However, this week saw the spread of a piece of Nintendo Switch developer software called DevMenu. Switch hackers have discovered ways to load DevMenu on retail Switch consoles, and have since found a way to use DevMenu to create and upload custom avatar images. Inevitably, that led to some users uploading pornographic photos and illustrations as their profile pictures, which then spread to Luigi’s Balloon World in Super Mario Odyssey.
DevMenu appears to have been leaked to the public after a member of the Switch hacking community purchased a developer kit on eBay. A poster on the Switch Haxing subreddit and GBAtemp forums said they bought a “defective” Switch from a seller, which turned out to be an EDEV unit — a console intended for software developers. The buyer has since deleted their original Reddit post in which they asked what they should do with it; multiple posters suggested sending it or dumping its software data so homebrew developers and hackers could study it. It appears that shortly afterward, a torrent containing the EDEV unit’s data was uploaded to an anonymous storage service.
Installing DevMenu seems pretty simple, though it requires custom firmware. Currently, there’s not much that Switch owners can do with DevMenu outside of modifying their avatars, though that may change as hackers spend more time with it; it could lead to easier software piracy.
Polygon has reached out to Nintendo for comment and will update when the company responds.
Correction: This post originally said that a software vulnerability in games like Pokémon Quest enabled installation of DevMenu, which was inaccurate.