It appears that ne’er-do-wells were able to post messages during live broadcasts, pretending to be a different user.
Details of the precise nature of the flaw are sketchy, but on June 29 the official Periscope Twitter feed posted to its 230,000+ followers that it was responding to the vulnerability with a patch:
We just patched a chat vulnerability that allows a malicious user to post messages appearing as another user in live broadcasts. This patch stops fake chats from being visible during live broadcasts. They will still appear in Replays till iOS/Andr/Web updates hit
But at the time of writing, iOS users are still at risk of seeing forged messages as the updated version of the app has still not passed review by the App Store.
No doubt that wouldn’t have been helped by it being a holiday weekend in the United States.
It appears that Periscope was able to patch the problem on live video streams fairly easily, but those users who were watching the videos later via the service’s Replays facility could still be exposed until their apps were updated.
From the sound of things, malicious users could have exploited the flaw to spread spammy messages or (worse still) point users to websites that could be designed to phish credentials or contain malicious exploit code designed to compromise their computer.
It’s easy to imagine how a forged high profile account, say belonging to a celebrity, could be exploited with malicious intent in this way.
This isn’t of course the first time that Periscope has suffered problems since its high profile launch nine weeks ago.
Just days after launch it demonstrated an embarrassing privacy hole that saw the titles of private live streaming videos made available for anyone to see. I’ve also spoken separately of my more fundamental privacy concerns with Periscope.