This is why you sanitize user input: Chat hacked live by XSS/HTML code injection, hilarity ensues
Video of a HTML injection on stream Craziness ensues

Follow by Email
Facebook
Twitter
Instagram
While TASBot was playing SMB3 a chat user named Hexxyr found an unsanitized input vulnerability allowing HTML and CSS to be injected in timeshifter's prototype alpha release filtered Twitch chat software that I (dwangoAC) recently started using to display chat inside OBS. What happened next was a live impromptu demonstration of my chat audience discovering new ways to take advantage of the exploit and a perfect example of why you should always sanitize user input to prevent raw HTML tags from being passed through. It should be noted that allowing chat to continue to test the limits was inherently risky. A number of somewhat bad things *did* happen, but with only minimal consequences. The chat display tool only needs to know what Twitch channel to connect to (dwangoAC in this case) and did not have an auth token so there was no risk of that being stolen. Still, there were substantial risks from the perspective that chat could have displayed inappropriate images or otherwise could have caused far more damage than they did. While what happened here was hilarious I can almost guarantee that it will not be as funny for you if you ever make the same mistake and allow input which has not been sanitized in your own application. This specific video is the complete and uncut hilarity of what happened when Twitch Chat figured out how to hack the living daylights out of the chat display tool I use. Twitch chat broke a number of things including mangling my microphone's audio pitch and turning me into "deepwango" by creating a mismatch between 44.1 kHz and 48 kHz audio. I even got rickrolled all through the power of raw HTML tags and CSS! The massive breakage ended up being insanely hilarious. In the strictest sense you could say it wasn't technically XSS (Cross-Site Scripting) because there was no second site, only unsanitized user input parsed as code. The chat text that was being displayed simply had raw tags embedded that were then rendered by the browser. Credit for the discovery of the exploit goes to @VixusFoxy (Twitter, https://hackerone.com/vixus) who also goes by the name Hexxyr in Twitch chat as I spoke it in the video. The source code for the chat client including the HTML sanitization fix made by timeshifter toward the end of the video can be found at: https://github.com/timeshifter/twitch-filtered-chat If you have no idea who TASBot is, he's a game-smashing robot that plays back Tool-Assisted Speedruns on real consoles and often does his own fair share of glitching. He's appeared at a number of Games Done Quick charity marathons and in this particular video he was attempting to play Super Mario Bros. 3. I, dwangoAC, am his keeper and as Ambassador on staff at TASVideos I attempt to console verify existing TAS runs that were originally made in an emulator. Discord - http://Discord.TASBot.net Live stream - http://twitch.tv/dwangoAC TASBot home - http://TASBot.net More TAS's - http://TASVideos.org All TASVideos.org content used with permission under Creative Commons Attribution 2.0.

Comments

Mr Fathead : You are lucky you have cool followers because it looks like they could have easily got you banned from twitch.

Nincadalop : *Gets hacked *Chuckles I'm in danger

Andrew Seich : I love his response. "You guys just hacked my chat and broke the hell out of it..... DO IT AGAIN!"

John Tyler : The chat getting rotated was just the best.

Armando : But can you run doom on your chat?

Zupprezed : such kind hearts in your chat, none of them put porn on them scripts

jackjt8 : Sometimes the YouTube recommendations actually give me something truly wonderful. This was one of them.

Kai Lanausse : Twitch plays twitch chat

Aaron Haun : And that one guy POSTs your cookies away.

Ultracity6060 : They turned his chat into a late 90s GeoCities website.

Kira Slith : I'm surprised nobody tried framing your window inside itself.

SirNapkin1334 : I like how there are these people who don't know JS, they're just copying the

eri : Twitch chat any% ACE

anasheoaki : I bet that chat runs games better then my computer... Thats sad

thefyrewire : That's pretty hilarious. I had a similar 'incident' a few weeks ago when a certain micro500 did the same to my custom chat. Fortunately he was feeling kind and the worst I got was a bunch of marquees and popup alerts lol.

Memes On Piano : "); DROP TABLE DATA-- don't worry this won't do anything