better content security and end-user control over extension-loading
A security incident with my account recently convinces me twitch is very vulnerable to cross-site scripting. I therefore would like to constructively suggest:
motivating and applying proper content security policies to filter out untrusted 3th party dependencies; these seem to be completely missing right now?
giving the end user, the viewer, more control over which extensions are loaded on a stream independent of the streamer's configuration... i want to block all extensions from now on, but i can't easily?
maybe doing the threat modelling to exclude all CSRF related threats if not already done
Where my proof is limited my analysis of the incident with my account suggests a bot was able to send messages from my account and browser session through cross-site scripting; implying either an insecure twitch 3th party dependency OR through an insecure extension.
What happened is that last saturday, while lurking in a stream, i suddenly saw alot of messageboxes pop-up with a link in it. At the time I thought they were messages sent TO me, but with my account restored now i can see they were sent FROM my account somehow. My acccount was then disabled by twitch and has been reactivated meanwhile.
Since I had 2-factor enabled it seems unlikely to me that this was just a case of stolen credentials.
If twitch applies any meaningfull secure web best practices (same-site policy, CSRF tokens, ...); then it should also not be likely to be leaked session tokens.
My browser is configured to allow HTTPs only (and i would expect twitch to set the corresponding configuration); I guess twitch TLS configuration could be insecure (e.g. TLS v2 instead of v3 with insecure settings)... but it seems far-fetched for a spam bot to go through the trouble of cracking even badly configured TLSv2 encryption to me? So a man-in-the-middle session hijack seems a bit far fetched to me here too.
Additionally, immediately after it happened i wanted to create a new account to be able to let my favourite twitch people know i wasn't gonna be around or gift subs for a while... i couldn't from my IP, had to do that on VPN. The fact that twitch automatically blacklisted my IP after the incident suggests to me the spam did originate from my setup AND not from a remote setup that stole/hijacked my session.
I like to think i'm not sloppy with security on my setup. My browser and virusscanner are up to date, browser config is reviewed and set as secure as possible, i always enable 2-factor. There were barely any extensions in my browser also (the most common adblocker and a google translate plugin).
I think that the most likely way this happened is that through cross-site scripting a script was injected into my session, so either through an insecure twitch extension or an insecure twitch 3th party dependency. Most likely the script was directly sending the spam messages from my browser session.
Whether you accept that conclusion or not, i do think it's reasonable to ask to evaluate if twitch is not all too vulnerable to cross-site scripting. It seems to me HTTP content-security-policy headers are not used; raising the question if any meaningful content-security-policy is applied at all? AND it does seem fair to me to give the end-user control over their security.. so twitch extensions on-stream should NEVER be enabled or even loaded by default without the end-user's permissions (independent of whether they need an acccount connection or not).
My 2 cents.