Twitter’s Periscope patches against malicious chatters pretending to be other users

Graham Cluley

PeriscopePeriscope, the live-streaming video app that Twitter launched with some fanfare in March, has suffered a security issue.

It appears that ne’er-do-wells were able to post messages during live broadcasts, pretending to be a different user.

Details of the precise nature of the flaw are sketchy, but on June 29 the official Periscope Twitter feed posted to its 230,000+ followers that it was responding to the vulnerability with a patch:

We just patched a chat vulnerability that allows a malicious user to post messages appearing as another user in live broadcasts. This patch stops fake chats from being visible during live broadcasts. They will still appear in Replays till iOS/Andr/Web updates hit

But at the time of writing, iOS users are still at risk of seeing forged messages as the updated version of the app has still not passed review by the App Store.

No fix released for iOS yet

No doubt that wouldn’t have been helped by it being a holiday weekend in the United States.

It appears that Periscope was able to patch the problem on live video streams fairly easily, but those users who were watching the videos later via the service’s Replays facility could still be exposed until their apps were updated.

From the sound of things, malicious users could have exploited the flaw to spread spammy messages or (worse still) point users to websites that could be designed to phish credentials or contain malicious exploit code designed to compromise their computer.

It’s easy to imagine how a forged high profile account, say belonging to a celebrity, could be exploited with malicious intent in this way.

This isn’t of course the first time that Periscope has suffered problems since its high profile launch nine weeks ago.

Just days after launch it demonstrated an embarrassing privacy hole that saw the titles of private live streaming videos made available for anyone to see. I’ve also spoken separately of my more fundamental privacy concerns with Periscope.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES