Extensions: Prevent IP leaking and DDoS blackmail
Extensions can currently be used to leak IP addresses.
Currently there is a host of scammers who create follow bots who idle in streamers chat to bait the streamer to visit them, steal their IP address and in turn send blackmail messages that threaten to DDoS the streamer unless they pay a ransom.
A system needs to be created to prevent this. Something like:
- An option to disable extensions globally
- Have viewers approve extensions before they are enabled on streams
- Have Twitch manually approve developed extensions before they can be added to stream pages
Telling all streamers to never visit channels of their followers or manually banning the multitude of bots in channels where this keeps happening is not sustainable. Moderating many streamer chats I've banned countless of these bots using semi automated scripts and informed streamers mod-chats via discord but I realize something better must be done Twitch wide.
The most recent example of these blackmail bots are some starting with the usernames "hoss" followed by random letters. If you see any of these DO NOT open their Twitch profile page.
The message I wrote isn't entirely accurate, the vulnerability they used is not an installed extension, but an extension to set their profile image to be directly linked to an external server, which in turn logs the visitors ip.
Here is a list of bots for Twitch which I've banned in most streams so far. They are so many and I see more created so I can't keep up banning them.
Reminder: Do NOT open these streams unless you're using a VPN.