Twitch is not safe

by Hana Burtin

For a few weeks now, there is a major security issue ongoing on twitch.tv: bots users named something like hoss00312 are mass following channels. DO NOT REACH THEIR USER PAGE.

Apparently, they installed a malicious extension on their pages to grab your IP address. It also appears that these bots are targeting LGBTQI+ streamers, might engage hate raids against the target channels while the user is offline then report them for not moderating their chat.

The best source I found on it was on reddit.

I’m a bit curious and I’ld like to see the bottom of it. So I tried to investigate a bit with the few bots I managed to catch. Because they are quite active. But sadly the users profiles I catch had no extension activated. Did twitch cleaned up the extensions of was it just bad luck for me? I can’t tell. But until theses issue is solved, here is a bit of advice to protect yourself.

Note that as twitch is hosting the extensions, they should be fully responsible to block, and remove malicious extensions.

Why is to take in consideration?

Well you all know that basically any server you interact with knows your personal IP address. But why do you want to protect it?

Usually you interact with servers based on trust, when to go to twitch servers, or google servers, you trust them for not being malicious. And you trust a third party to certify the identity of the server. This is a base line of how internet works. And why you should only visit website with valid SSL certificate, and avoid shady website.

Basically, when to consult a page on twitch, you trust twitch to keep the connection details between you and twitch.

Your IP address can be used to attack your home directly. If you are using unsafe devices (basically IOT should always be consider as unsafe, I have a note here on how you can isolate IOT from your main network), if you ISP router is not well secure a malicious entity having your IP address can allow them to get into your network to steal your private data.

Unpatched software, are also part of the risk.

Having access to your IP address can also open the way to DDoS attacks to stop a streamer’s stream, etc…

How to protect myself?

  • Don’t consult user pages you don’t know
  • Ban usernames like hoss00312, set your chat to sub only or emotes only when not streaming
  • Use VPN to hide your IP address
  • Secure you connection with a proper firewall (Assume your ISP built-in is not enough)
  • Block (by dropping) external ping response to your home address
  • Use private navigation to limit the number of cookies you provide to server while browsing
  • Next option is to also block twitch extensions: if you are using AdBlock:
    • Go to AdBlock Option page
    • Select Customize
    • In Manually Edit your filters add:
https://api.twitch.tv/v5/channels/*/extensions

This last solution will prevent any page to load its extension list, this is pretty radical, but at least is gets you covered. And you can pause AdBlock on your trusted streamer’s pages.

0 Replies to “Twitch is not safe”

Leave a Reply

Your email address will not be published. Required fields are marked *