Complete mitigation with updated Android, iOS and Web app

Jun 30, 2015 07:50 GMT  ·  By

A vulnerability in Periscope, the live streaming service from Twitter, allowed a user to impersonate another one in the chat component.

Periscope was launched in March as a means to broadcast video from a mobile phone and share it with a select group of people or with the entire world. The service comes with chat functionality to allow viewers to post comments related to the content.

User impersonation can lead to plenty of problems

In a couple of short tweets on Tuesday, the service announced that its developers solved a glitch that could have created a lot of trouble to its users.

“We just patched a chat vulnerability that allows a malicious user to post messages appearing as another user in live broadcasts,” reads the first message distributed to more than 228,000 followers on Twitter.

There aren’t too many details available about the flaw, but simply knowing that someone could pose as another user and post comments makes the problem a noteworthy one.

This type of glitch could be exploited by a malicious actor to direct viewers to malicious domains or to deliver spam allegedly coming from more high-profile accounts.

Updates for iOS, Android and Web apps will fully patch the bug

Periscope informed on Twitter that the currently available patch would not be fully effective, though, and bogus chat lines would still be available in Replays, a feature that allows watching the live streamed video after it finished playing, for a period of 24 hours.

However, once the iOS, Android and Web updates are pushed, the security hole will be eliminated completely.

This is not the first time Periscope has to deal with security issues. Just two weeks after its launch, the service faced a bug impacting on the privacy of the users: when a live stream was shared with a restricted group on Twitter, all followers would be able to see the name of the “show,” placing the broadcaster in an awkward position if the title was offensive to someone.