So basically, this guy was prototyping a Twitch chat plugin for OBS Studio. The developer forgot to sanitize the chat input, and it parsed HTML from that source.
The chat slowly devolved into general silliness, as users began embedding images and videos, and messing with HTML elements.
Video here:
youtube.com
wait if it was parsing from the chat then what would stop someone from embedding a link to something really nefarious? people are fucking stupid an will click on random links for the lulz. you just can't fix stupid.
Absolutely nothing. Hell, if you read the code at 7:29, someone tried stealing his Twitch login tokens.
After reading over the comments, it looks like he got lucky and has a good audience, who decided to do silly shit instead of something actually fraudulent.
What an atuistic mess. I feel bad for him. I can not believe streamers are so popular.
ITT: Jow Forums discovered the oldest most trivial web vulnerability
>a bunch of normies laugh at their own stupidity
i miss being a teen and enjoying dumb shit
Why the fuck would a program to display chat comments allow you to do this
Like why would it parse the comments as html instead of just you know, read the fucking comments and display them
Why is it even able to parse html at all?
Because it's a webapp
It's an unreleased alpha version of a Twitch-OBS integration plugin. His friend wrote it.
Nice catch @7:29
streamer: "Oh heck no I wouldn't have. I run Firefox in Linux and unless I've mangled something recently I have Flash entirely disabled. I'm also fairly versed in what links to not click. Having said that I was under more danger than I should have allowed myself to be comfortable with - while nothing bad happened it was exactly the kind of opening a talented attacker could have exploited as an opening move in a salvo. Still, I asked my chat to not do too much and they obliged."
No-one tried scripting?
> The developer ...
>, and it parsed HTML from that source.
WTF why would it parse html? is the "developer" some kind of poo in street pajeet or what?
Whyyy did he allow this to go on for 14 min?? He's unironically an idiot
Probably paid for a some koding bootcamp and thinks he's a master koder.
lol nerd
It’s program isn’t parsing html the it’s a web app, the browser is doing the parsing
Comments are being written directly to the document without being sanitized
>I'm also fairly versed in what links to not click.
He does realize anyone could trivially make his browser load any webpage, and several people did, right?
I do not think he does. I mean he's just laughing about this instead of closing the browser
the worse thing for him that could happen is someone linking porn on autoplay so he'd get banned from twitch, and that didnt happen
An unrealistic but possible scenario would be that someone could direct him to cp. Who knows what would happen to him after that
is your name albert einstein by any chance?
Well, you'd have proper video evidence that proves innocence on his part, so most likely there would be the required police investigation (as a formality) then it's business as usual.
He would probably end up banned from twitch, though.
That's not an attempt to do it, that's just somebody warning him it could happen. And it isn't even actually possible.
The chat on OBS studio doesn't have access to the browser, much less a different domain's cookies. There was nothing "nefarious" they could do with this.
Just like people on stream open random links sent by their viewers all the fucking time.
>OMG guys LOL while TASBot was playing SMB3 a chat user named Hexxyr found an unsanitized input vulnerability allowing HTML and CSS to be injected in timeshifter's prototype alpha release filtered Twitch chat software that I (dwangoAC) recently started using to display chat inside OBS, can you say #REKT? LMFAO
to be honest here, its not actually his fault the whole WEB system is a pure joke, user input should never even be able to interfere with web design. I know that most other systems had similar problems, SQL injection, buffer overflows in IRC chats, but those where actual bugs inside code and never intended features.
> mfw this implies that Twitch isn't sanitizing chat either
no it doesn't
cringe
you don't understand how any of this works, huh?
I don't know about OBS plugins or what OBS is written in but it sounds like it may be written in electron or maybe some Qt/GTK webview.
I think OBS's browser display uses CEF, but I'm not 100% sure on that. That said I doubt it's a problem with OBS itself, it's likely a web-page that is displayed using the OBS browser plugin, much like Streamlabs does theirs. Which begs the question why he doesn't just use Streamlabs.
Lol retard
Not a webdev, what do I have wrong?
If twitch wasn't sanitizing/escaping their inputs properly, the shit would work just as well in the twitch chat as it does in the guy's plugin
Probably used a webbrowser (IE frame) to render the comments because it's easy but didn't think about the input.
kek had fun
As others have said, the chat on the left is a different thing that's looking at twitches chat.
The twitch chat on the right was edited in to make a comparison. You can see the actual stream has a game there instead.
you saw the license plate meme and now you think your are a cool smart hacker because you recognized this basic issue. kys. I hope you realize html is not koding, markup, even boomers know it from word processor days.
the difference is not whether someone /can/ post interpretable code, but whether or not the code is actually interpreted
unsanitised text is executed or interpreted as something besides just plain text, while sanitised text is only treated as plain text
it has nothing to do with filtering the text