[Advisory] Streamlabs Prime Website

About

This is a disclosure for Streamlabs. Streamlabs is a company that offers tools for streamers on various platforms, such as alerts of follows, donations, or raids. They also offer tools like wheel spins that can be customized for the streamer.

When a streamer sets up a profile on Streamlabs’ customizable website, they can opt to purchase the ability to add custom links. These custom links are displayed on the personalized site that streamers can link to for receiving tips or donations. The goal is to have a single page for social media links as well as a page with elements of the streamer’s choosing.

I honestly debated about releasing this because a) it’s not so much a security issue (I’ll outline where it is) as it is a bug and b) I rather like Streamlabs. But it is important for streamers to fix this and awareness is key. Because Streamlabs has gone silent on me, I’m releasing this in the hopes it’ll be seen and affected streamers can resolve it.

Details

These custom links can be to social media like Twitter, Instagram, YouTube, Patreon, or arbitrary bit.ly links. They can also be Discord invite links.

In the case of bit.ly and Discord URLs, they are case-sensitive. The bug on Streamlabs at some unknown time made those URLs all lowercase. As a result, users would be taken to unintended places. Usually this would be an error page saying the bit.ly link or Discord invite was invalid. But not in all cases. And that’s where we have the security issue.

In at least one case, a bit.ly link redirected to malware as a result of the link being lowercased.

That’s not good.

The scary part of this is that as far as streamers know, their links are just fine.

The Fix

Fortunately the fix is pretty simple. As a streamer, go to your settings where you have the links and save them again.

Conclusion

If you are a streamer and have questions, please feel free to reach out to me. Even though this is a bug in Streamlabs, and perhaps a silly bug, the consequences can be severe if users are inadvertently redirected to malware, or worse, because of this treatment of URLs being lowercased.

Keep reading if you want a timeline of events. I only included email conversation, though I did reach out to Streamlabs on Twitter for a security contact at the beginning.

If you are a company, please maintain a visible security contact email address or web form.

Disclosure Timeline

  • August 3, 2019

    Initial support ticket detailing the issue

  • August 6, 2019

    Streamlabs responds

  • August 6, 2019

    I provide a screenshot and screen recording demonstrating the issue and confirm it is on multiple browsers and operating systems

  • August 8, 2019

    I ask for confirmation that my information was sufficient

  • August 9, 2019

    Streamlabs responds stating that there is confusion around reproducing the issue

  • August 9, 2019

    I respond that I signed up for Streamlabs Prime and was also unable to reproduce, but provide an additional list of seven streamers that are impacted by this bug

  • September 28, 2019

    I follow up requesting feedback and state that a blog post will be released

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s