Require Authentication for the Get Chatters Endpoint
Currently, this endpoint: https://tmi.twitch.tv/group/user/<CHANNEL>/chatters
Can be used freely without any authentication or scope.
This is definitely being abused with the hate raids. It's been abused by malicious actors for a long time now. Why has this endpoint been created in such a way that there is zero barrier for a malicious actor to obtain user data?
Even the Get Polls endpoint (https://dev.twitch.tv/docs/api/reference#get-polls) requires both authentication and a scope!
How has that Get Chatters endpoint not yet been removed an replaced with a secure Helix endpoint, as stated here: https://twitch.uservoice.com/forums/310213-developers/suggestions/39145294-chatters-viewers-helix-api-endpoint
This is not ok.
Zaytri
shared this idea
The Twitch API Chatters endpoint is generally available now.
-
HostileBot
commented
The user list, or chatters, isn't updated frequently enough to provide much value anyway. It takes a minute or two to register a user joining/leaving. This has always been publicly accessible in any chat I've seen though, unless Twitch has added the option for channel owners to disable it.
-
pjonp
commented
That endpoint should no longer exist.
It should have never made it to v5 and I'm perplexed how an open endpoint that shows all of the viewers in chat is still active. It's been abused for years.
If you need to keep it, then add a `channel:read:chatters` scope; and don't grandfather it in.
An anonymous user shouldn't be able to get a list all the of members in certain chat.