So basically, this guy was prototyping a Twitch chat plugin for OBS Studio. The developer forgot to sanitize the chat input, and it parsed HTML from that source. The chat slowly devolved into general silliness, as users began embedding images and videos, and messing with HTML elements.
wait if it was parsing from the chat then what would stop someone from embedding a link to something really nefarious? people are fucking stupid an will click on random links for the lulz. you just can't fix stupid.
Adam Harris
Absolutely nothing. Hell, if you read the code at 7:29, someone tried stealing his Twitch login tokens. After reading over the comments, it looks like he got lucky and has a good audience, who decided to do silly shit instead of something actually fraudulent.
Henry Mitchell
What an atuistic mess. I feel bad for him. I can not believe streamers are so popular.
Nolan Cooper
ITT: Jow Forums discovered the oldest most trivial web vulnerability
Jordan Fisher
>a bunch of normies laugh at their own stupidity i miss being a teen and enjoying dumb shit
Grayson Fisher
Why the fuck would a program to display chat comments allow you to do this Like why would it parse the comments as html instead of just you know, read the fucking comments and display them Why is it even able to parse html at all?
It's an unreleased alpha version of a Twitch-OBS integration plugin. His friend wrote it.
Jacob Flores
Nice catch @7:29
Tyler Diaz
streamer: "Oh heck no I wouldn't have. I run Firefox in Linux and unless I've mangled something recently I have Flash entirely disabled. I'm also fairly versed in what links to not click. Having said that I was under more danger than I should have allowed myself to be comfortable with - while nothing bad happened it was exactly the kind of opening a talented attacker could have exploited as an opening move in a salvo. Still, I asked my chat to not do too much and they obliged."
Isaiah King
No-one tried scripting?
Jack Myers
> The developer ... >, and it parsed HTML from that source. WTF why would it parse html? is the "developer" some kind of poo in street pajeet or what?
Kayden Miller
Whyyy did he allow this to go on for 14 min?? He's unironically an idiot
Jonathan Brown
Probably paid for a some koding bootcamp and thinks he's a master koder.
Jayden Perez
lol nerd
Grayson Cook
It’s program isn’t parsing html the it’s a web app, the browser is doing the parsing
Comments are being written directly to the document without being sanitized
Joshua Rivera
>I'm also fairly versed in what links to not click. He does realize anyone could trivially make his browser load any webpage, and several people did, right?
Joseph Diaz
I do not think he does. I mean he's just laughing about this instead of closing the browser
Angel Miller
the worse thing for him that could happen is someone linking porn on autoplay so he'd get banned from twitch, and that didnt happen
Brayden Nguyen
An unrealistic but possible scenario would be that someone could direct him to cp. Who knows what would happen to him after that
Dylan Martinez
is your name albert einstein by any chance?
Ryan Cruz
Well, you'd have proper video evidence that proves innocence on his part, so most likely there would be the required police investigation (as a formality) then it's business as usual.
He would probably end up banned from twitch, though.
Josiah Cook
That's not an attempt to do it, that's just somebody warning him it could happen. And it isn't even actually possible. The chat on OBS studio doesn't have access to the browser, much less a different domain's cookies. There was nothing "nefarious" they could do with this. Just like people on stream open random links sent by their viewers all the fucking time.
Caleb Myers
>OMG guys LOL while TASBot was playing SMB3 a chat user named Hexxyr found an unsanitized input vulnerability allowing HTML and CSS to be injected in timeshifter's prototype alpha release filtered Twitch chat software that I (dwangoAC) recently started using to display chat inside OBS, can you say #REKT? LMFAO
to be honest here, its not actually his fault the whole WEB system is a pure joke, user input should never even be able to interfere with web design. I know that most other systems had similar problems, SQL injection, buffer overflows in IRC chats, but those where actual bugs inside code and never intended features.
Eli Turner
> mfw this implies that Twitch isn't sanitizing chat either
I don't know about OBS plugins or what OBS is written in but it sounds like it may be written in electron or maybe some Qt/GTK webview.
Charles Butler
I think OBS's browser display uses CEF, but I'm not 100% sure on that. That said I doubt it's a problem with OBS itself, it's likely a web-page that is displayed using the OBS browser plugin, much like Streamlabs does theirs. Which begs the question why he doesn't just use Streamlabs.
Ryan Foster
Lol retard
Connor Brooks
Not a webdev, what do I have wrong?
Jaxson Garcia
If twitch wasn't sanitizing/escaping their inputs properly, the shit would work just as well in the twitch chat as it does in the guy's plugin
James Gomez
Probably used a webbrowser (IE frame) to render the comments because it's easy but didn't think about the input.
Jeremiah Davis
kek had fun
Hudson Nelson
As others have said, the chat on the left is a different thing that's looking at twitches chat.
The twitch chat on the right was edited in to make a comparison. You can see the actual stream has a game there instead.
Ayden Allen
you saw the license plate meme and now you think your are a cool smart hacker because you recognized this basic issue. kys. I hope you realize html is not koding, markup, even boomers know it from word processor days.
Chase Ortiz
the difference is not whether someone /can/ post interpretable code, but whether or not the code is actually interpreted unsanitised text is executed or interpreted as something besides just plain text, while sanitised text is only treated as plain text it has nothing to do with filtering the text