Twitter’s Periscope patches against malicious chatters pretending to be other users

PeriscopePeriscope, the live-streaming video app that Twitter launched with some fanfare in March, has suffered a security issue.

It appears that ne’er-do-wells were able to post messages during live broadcasts, pretending to be a different user.

Details of the precise nature of the flaw are sketchy, but on June 29 the official Periscope Twitter feed posted to its 230,000+ followers that it was responding to the vulnerability with a patch:

We just patched a chat vulnerability that allows a malicious user to post messages appearing as another user in live broadcasts. This patch stops fake chats from being visible during live broadcasts. They will still appear in Replays till iOS/Andr/Web updates hit

Sign up to our free newsletter.
Security news, advice, and tips.

But at the time of writing, iOS users are still at risk of seeing forged messages as the updated version of the app has still not passed review by the App Store.

No fix released for iOS yet

No doubt that wouldn’t have been helped by it being a holiday weekend in the United States.

It appears that Periscope was able to patch the problem on live video streams fairly easily, but those users who were watching the videos later via the service’s Replays facility could still be exposed until their apps were updated.

From the sound of things, malicious users could have exploited the flaw to spread spammy messages or (worse still) point users to websites that could be designed to phish credentials or contain malicious exploit code designed to compromise their computer.

It’s easy to imagine how a forged high profile account, say belonging to a celebrity, could be exploited with malicious intent in this way.

This isn’t of course the first time that Periscope has suffered problems since its high profile launch nine weeks ago.

Just days after launch it demonstrated an embarrassing privacy hole that saw the titles of private live streaming videos made available for anyone to see. I’ve also spoken separately of my more fundamental privacy concerns with Periscope.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.