ChatGuessr v2.0.1 security release

We've become aware of a security vulnerability in two recent ChatGuessr versions, v1.1.0-alpha.0 and v2.0.0. The vulnerability was announced publicly on 9 April, and we found out about it at the same time as many of you, so we needed some time to assess the impact and develop a solution.

These versions exposed your "OAuth Token" to the ChatGuessr developers, which could in the worst case give moderation access to your channel.

What you should do

Streamers who have used one of the vulnerable versions should upgrade to v2.0.1 immediately and disconnect the "Twitch Chat OAuth Token Generator" application in their Twitch settings.

  1. Go to https://www.twitch.tv/settings/connections
  2. Scroll down to "Other Connections", and find the "Twitch Chat OAuth Token Generator" application.
  3. Click "Disconnect" to remove access.
  4. You will have to relogin in the new ChatGuessr version.

We expect that there could be reliability issues in the new version. If you get logged out mid-game for example, please let us know by email or on Twitter. If this happens frequently, you can download ChatGuessr v1.0.9 from the sidebar for now, which is not vulnerable.

Players do not have to do anything. This vulnerability applies to the streamer application, not to the ChatGuessr map that you use to make guesses.

The fix

ChatGuessr v2.0.1 has its own ChatGuessr-specific authentication, separate from Twitch. Even if the ChatGuessr authentication is leaked, this will not give access to your Twitch account.

In addition, this implementation allows us to request much less access from Twitch in the first place, so even if a similar issue somehow reoccurs, the impact will be much less severe.

Details

Below is a short technical explanation and timeline of the vulnerability. If you have more questions about the why or how, please contact us at chatguessr@gmail.com.

Show

Since the early days of ChatGuessr, streamers have had to configure an OAuth token in the ChatGuessr settings, and we have recommended using the "Twitch Chat OAuth Token Generator" tool to generate this token. This token is what allows the ChatGuessr application to receive guesses in whispers and send chat messages when a round is complete. The tokens generated by that tool however request more access than we need. This wasn't a big problem in the past, but combined with this new vulnerability, it makes the impact worse.

ChatGuessr has been using a server to relay guesses from players to the streamer since version 1.1.0-alpha.0, released on 25 March. This server is what makes it possible for anyone to make guesses directly from the map, instead of having to paste the whisper text into chat. This server requires authentication, so it can verify that only the actual streamer account can receive people's guesses. The aim was to prevent players from pretending to be the streamer and receiving other players' guesses before the round was over, which would've made cheating possible.

The authentication worked by sending a request to Twitch servers to ask what user the OAuth token belonged to. Since the OAuth token was already configured in the ChatGuessr application settings, this was a way to authenticate streamers without requiring them to log in again. These tokens were never stored and never seen by a human.

In version 2.0.0, released on 5 April, OAuth tokens were also sent to ChatGuessr servers when generating the game summary link using the same mechanism. This was done hastily to prevent a spammer from filling up the database with fake data.

We made a big mistake in not double-checking what access the OAuth token actually gives. Our implementation would only be acceptable if the OAuth token was permissionless, but it was not, and in fact it gave more access than we thought.

The vulnerability was made public on 9 April. We got to work on a solution, but it required pretty big changes to the ChatGuessr application. The old way was so convenient that it allowed us to avoid most of the complexity of a proper login system. The new way is more complicated but also much more secure.

The fixed version was finally released on 17 April.

All in all, the potential leak has existed for about 3 weeks.

Lessons

This situation is somewhat of a wake-up call for us. At this point ChatGuessr isn't just a small side project used by friends, but something that streamers depend on for their livelihood, and we should take our responsibility seriously when handling streamer data. For now, we are taking these steps:

  • We are using a new Twitch connection that gives the application less access. It's now also listed as "ChatGuessr" in your Twitch Connections settings so you can easily find it if you do want to revoke access.
  • We strongly recommend streamers use a bot account. In the past we only recommended this to prevent your main account whispers from filling up with guesses, but it's also better for security.
  • In the future, we obviously never let Twitch authentication tokens leave the streamer's computer. This way nobody, including us, can get access to it. Because we now have completely separate authentication for the ChatGuessr servers, we can now easily keep to this rule.