This is a disclosure for Streamlabs. Streamlabs is a company that offers tools for streamers on various platforms, such as alerts of follows, donations, or raids. They also offer tools like wheel spins that can be customized for the streamer.
When a streamer sets up a profile on Streamlabs’ customizable website, they can opt to purchase the ability to add custom links. These custom links are displayed on the personalized site that streamers can link to for receiving tips or donations. The goal is to have a single page for social media links as well as a page with elements of the streamer’s choosing.
I honestly debated about releasing this because a) it’s not so much a security issue (I’ll outline where it is) as it is a bug and b) I rather like Streamlabs. But it is important for streamers to fix this and awareness is key. Because Streamlabs has gone silent on me, I’m releasing this in the hopes it’ll be seen and affected streamers can resolve it.
These custom links can be to social media like Twitter, Instagram, YouTube, Patreon, or arbitrary
bit.ly links. They can also be Discord invite links.
In the case of
bit.ly and Discord URLs, they are case-sensitive. The bug on Streamlabs at some unknown time made those URLs all lowercase. As a result, users would be taken to unintended places. Usually this would be an error page saying the
bit.ly link or Discord invite was invalid. But not in all cases. And that’s where we have the security issue.
In at least one case, a
bit.ly link redirected to malware as a result of the link being lowercased.
That’s not good.
The scary part of this is that as far as streamers know, their links are just fine.
Fortunately the fix is pretty simple. As a streamer, go to your settings where you have the links and save them again.
If you are a streamer and have questions, please feel free to reach out to me. Even though this is a bug in Streamlabs, and perhaps a silly bug, the consequences can be severe if users are inadvertently redirected to malware, or worse, because of this treatment of URLs being lowercased.
Keep reading if you want a timeline of events. I only included email conversation, though I did reach out to Streamlabs on Twitter for a security contact at the beginning.
If you are a company, please maintain a visible security contact email address or web form.
August 3, 2019
Initial support ticket detailing the issue
August 6, 2019
August 6, 2019
I provide a screenshot and screen recording demonstrating the issue and confirm it is on multiple browsers and operating systems
August 8, 2019
I ask for confirmation that my information was sufficient
August 9, 2019
Streamlabs responds stating that there is confusion around reproducing the issue
August 9, 2019
I respond that I signed up for Streamlabs Prime and was also unable to reproduce, but provide an additional list of seven streamers that are impacted by this bug
September 28, 2019
I follow up requesting feedback and state that a blog post will be released