Just a few months ago Twitch came out with a new way to support streamers by using Bits, a new cheering system. Straight from the Twitch - Guide to Cheering “cheering is a new way to show support for streamers and celebrate the moments you love with the community. A Cheer is a chat message that uses Bits, which are evolving animated Emoticons that you can buy.” These Bits can be purchased through Twitch for real money. Another way to get Bits are watching ads on Twitch.
Depending on the ad you watch you will receive 5 or more bits in return. After monitoring what type of traffic was going through I noticed this one endpoint
I’ve noticed after you change the
key value (changing the value after the 2nd ‘-‘) from
10531-4516e7124b89d9dbba3182bfde5491c2093676df-1483467364 you will be given another 5 or more bits for ‘watching an ad’ even though you didn’t watch an ad. At this point I wanted to check if there was any rate limiting implemented. There wasn’t. Once I figured there was no rate limiting in place I setup Intruder on Burp Suite and incremented from
1883467363. A little bit of an overkill but I did 8000+ requests and got a little over 20,000 bits in a few minutes (valued at around $300). Just a note, some of the requests gave a 500 error resulting in no bits. And yes these bits did indeed work, I sent 200 bits over to a streamer that I watch regularly.
Eventually, after 30 minutes later it seems like an automated system detected some anomaly and restricted access to my Bits. Then, shortly after my account got suspended.
Another issue that I noticed but can’t really confirm is what is contained inside of the HTTP request.
"currency_amount":"1" seems to show the cost per view. Therefore, every single time this request is made the company is out of a dollar and that can add up very quickly. Especially if 8000+ requests were made through my testing. I noticed this after the vulnerability was resolved and didn’t get to test whether or not changing the
"currency_amount":"1" made any difference. If maybe the value was changed from
10. Guess we’ll never know.
When you change the
key value now you will receive this HTTP response
After reporting the vulnerability to Twitch security about 30 minutes later it seemed like an automated system restricted my access to the bits on my account and shortly after that, my account was suspended.. I contacted customer support to see why my account was suspended and at the end everything was resolved. It seems like due to the amount of requests and amount of bits suddenly appearing, it alerted Fraud and an automated system suspended my account. While I was in San Francisco in the beginning of January, I was contacted by Twitch security and they apologized for the delays. Twitch security clearly explained the situation and invited me to visit the Twitch office for a tour. The delay in response time was due to the holidays and I should have expected that but as some of you know, my patience is very thin :).
- December 29th - Reported
- December 30th - Contacted firstname.lastname@example.org regarding status
- December 30th - Vulnerability resolved.
- January 3rd - Contacted Twitch security regarding status
- January 5th - Twitch responded with explanation
If you find any vulnerabilities on Twitch and would like to responsibly disclose it to them go to https://www.twitch.tv/p/security