//A write up that lead me to submitted the bug to twitch.

How I Found this hole is from something that kept popping on my timeline in twitter and the past 8+ months of a follower that would immediately unfollow. I decided to wait for the next time this person or account follows and unfollows me. This is username was obviously all over twitch and known from one to another as LunaSec with various of other “kid” like hacker aesthetics.

Tracking  the evidence:

1. They claim these are bots, but what if I told you, they are not bots but an actual streamer?
   
2. Another claim of evidence is what caught my attention.  The link to the post from MCBTVe.
   
3.  Here is a few screens I’ve taken personally when I visit.  Same Motive but different GIF’s everytime.
   

I got that username and loaded it up on my Kali Linux VMware with an VPN loaded (Normally I use slackware but I have been extremely unmotivated lately to produce documentation on making slackware the ultimate hack box).
Loaded up burp-suite and went to town on logging. Now that we have a target that is abusing it, using TTS to speak live on the microphone.  I am not curious to know who this is as this person is technically out to exploit people and not report this hole to twitch.

Note: Twitch has a bug bounty program, they are not fully into it but they would be if people actually used it.

1. After maybe 30 minutes of reading the logs acquired and confirmed with 4 different accounts they created they all linked to this.  If you look below with the 2 images, I found that a header is degined for loading image files is loading a custom php.
   What does this mean?
   – Malicious PHP files. 
   – What is a php file 
    
2. This is what that cut.php loaded but I didn’t get the chance to grab the logs but the php is loading web exploits and attempts to inject malware to your computer. I didn’t save the logs & screen shots sadly and the domain is removed as soon as twiitch patched the hole. (sure it will return sooner or later)
   
3. This wasn’t an widget it also loaded on screen display such as this below exploiting and loading the php in place of an image.
   

Irony, they are saying this is the person who is doing hate raids. I beg to differ as we have people like “The Chronic Gamer“, “twitch bot viewer services” and other sources that you could chat as if you are on irc (the hate raids emulate irc style flood attacks).

This was a bad actor not in relation to the hate raids, this took me 30 minutes to rule that out.
If you have seen anything above and seen your IP address, I super, highly recomend for you to check your pc for malware infestation or get a professional to help.