Feature Suggestions

Implement simple anti-phishing measure for links sent in donations.

I thought I would send a report for a possible vulnerability affecting streamers using StreamLabs that was highlighted in a recent incident where TimTheTatman was hacked. The attacker apparently used non-standard characters which appeared very similar to their equivalent english characters on the Streamlabs website in order to easily phish TimTheTatman, as he believed the URL was legitimate.

Of course, it is possible to fall victim to phishing in many ways and it would be impossible for StreamLabs to try to protect against it fully, but it would be a relatively simple and probably very effective anti-phishing measure to implement a simple link validation on the streamer's notifications page and display an alert if anything out of the ordinary was contained in a link (non-ASCII characters). Using a technique similar to one here: https://stackoverflow.com/a/150078 you could do client side validation of donation links and display a warning to streamers if a link contains any non-standard characters, since domains with these characters are very often specifically crafted for phishing type attacks. This could definitely help prevent future attacks of a similar sort on other streamers.

  • fu5ha
  • Feb 17 2018