Settings and activity
9 results found
-
475 votes
andOlga
supported this idea
·
-
1,139 votesandOlga
supported this idea
·
An error occurred while saving the comment -
613 votes
Hi, thanks for your feedback!
This status is to let you know your idea has been reviewed. Your idea is open for voting/comments from other Twitch community members. This is a great time to share your idea with others. Learn more about status updates here.
---
For the community: If you like this idea, please vote on it and feel free to add on how it would help you in the comments.
andOlga
supported this idea
·
-
468 votesandOlga
supported this idea
·
-
120 votesandOlga
supported this idea
·
-
69 votesandOlga
supported this idea
·
-
2,542 votes
An error occurred while saving the comment andOlga
commented
It is absurd that publishers re-use names.
It is even more absurd that this issue that has had a solution for decades exists on a wobsite in 2023. Twitch, please -- this is the basic of the basics. This allows a publisher to just make your wobsite unusable for a specific older game should they so choose, or even by accident.andOlga
supported this idea
·
-
2,202 votesandOlga
supported this idea
·
-
89 votesandOlga
supported this idea
·
Not only is the SMS "backup" option *still* impossible to turn off, which makes any app you add worthless -- an attacker can just choose to use the SMS option... but now they have also linked the password reset flow to the phone number as well! Here is a very simple attack scenario that requires NOTHING other than having access to my phone number:
- An attacker somehow intercepts texts sent to my phone number. There's tons of ways to do it, "sim jacking" being by far the simplest. I won't go into an overly long explanation here, your security staff should know what that is.
- They plug this phone number into the password reset flow and choose "I don't know my username".
- They get the username, and now go back into the password reset flow and choose to reset the password using the phone number. By the way: the password reset flow completely bypasses 2FA! It doesn't ask for the code.
- The attacker navigates to the login flow and chooses to use the SMS option instead of the app.
- Now they can log into my account using the password that they've just reset and the 2FA code that is sent to the VERY SAME phone number that was used to reset the password in the first place.
By forcing the SMS options to be on for both password reset and 2FA (if it is enabled) you have created an incredibly vulnerable service, and anyone who does enable 2FA or verify the phone number is effectively on a ticking time bomb until their account gets hijacked -- once they grow large enough.
Now, you *do* have a proper 2FA option: the e-mail one, which is on by default. Assuming my e-mail account is properly secured (which it is!), there are zero issues with the e-mail 2FA flow itself. However, there are two issues that surround it:
1. The e-mail 2FA is not only presented as "less secure" than the phone-based flow, it's actually not even mentioned as an option (even though, again, it's just on by default).
2. Certain Twitch features (e.g. chatting in specific channels, Stream Together or access to the dev portal) are locked behind phone verification, which forcibly exposes the password-reset vulnerability I have described above.
You must give users an option to disable phone-based password reset and 2FA flows if you really wish for accounts to be secure. Asking for a phone number for additional verification is in itself not the main issue here -- the issue is forcibly making the account more vulnerable when it is added.