Exploit Discovered in Twitch Extension Prompts Removal
Most Twitch streamers rely on extensions to enhance their streams, but a recent incident served as a reminder that third-party bots can pose serious security risks.
On September 10, the Pando Twitch extension was removed from the platform after hackers found an exploit that allowed them to take control of streamer chats and post profanity or spam links.
Identifying the Common Link
Streamers quickly realized that Pando was the common link among them. It was discovered that the Stream Alerts TV extension, developed by the same team, was also involved.
Additionally, there were concerns that the extension may have compromised streamer accounts, leading some to abruptly end their livestreams. Streamers of all sizes and audiences were affected.
Streamer LunaBori experienced her chat being spammed with threats and a Discord server link. She attempted various fixes, such as disabling bots, but ultimately had to disconnect and restart her livestream. With bots disabled, she was finally able to resolve the issue.
The developer of the extension promptly responded to user complaints and removed it from the platform. Streamer ADJ advised users to log out and reset their passwords to eliminate any active connections, just in case.
Resolution in Progress
CVS Gaming, the team behind the Pando extension, has been working on an update to address the exploit and resolve the issue. According to the developer, Twitch has already disabled the extension, eliminating any further risks for creators.
However, users may need to wait a few more days as the update must be approved by Twitch before being implemented. Similarly, Stream Alerts TV is currently not functioning, suggesting that it is also undergoing approval for a new update.