A blog post by Maia Arson Crimew, a Swiss hacker claims that Kick.com has huge security and privacy concerns.
In this piece, there are mainly three accusations being made: chat message fabrication, arbitrary file write/XSS and arbitrary file read/improper aws access control.
Let’s briefly see what each one these means
First, chat message fabrication:
As stated in the blog, they discovered that when pinning a message, the entire message metadata is sent along with it.
Consequently, this enables any user to impersonate any other chat member.
Second, arbitrary file write/XSS:
In their view, Kick used Laravel’s Vapor upload system in an incorrect manner.
This misconfiguration granted unauthorized users complete control over the content type and file extension during the uploading process, which means they could upload files other than just images, example malwares.
In fact what made the situation even more concerning was that these uploaded files were hosted on a domain that was relevant to all cookies set by Kick.com.
This essentially means that any cookies stored by Kick.com were accessible to this domain where the files were hosted.
As a result, this potentially exposes sensitive user data or authentication tokens.
Third, arbitrary file read/improper aws access control:
Creators and viewers reaction
As the article gains traction on social media platforms and discussion forums, users are voicing their worries and anxieties regarding the security of their personal information on Kick.com (1,2,3,4,5).
As you know, preserving online security is paramount in building and retaining user trust. Any hint of data breaches or compromised privacy can profoundly affect users confidence in the platform.
Considering that they willingly share personal data, participate in discussions, and engage in various activities on Kick.com, users concerns are absolutely justified.
Therefore, a user has recommended using browsers like Brave and Firefox to access Kick.com to tackle some of these issues.
This is one of the main reasons why I never submitted my personal info to monetize even after becoming affiliated on Kick.
Source
Man this is very disturbing and not good. Looks like YouTube is the safest route to stream these days. Unless you wanna risk everything. At this point twitch might be safer than kick?
Source
Kick.com official response to these security concerns
After growing concerns and fears among its community members, Kick support addressed the issue:
The official response also provides reassurance that Kick.com has a dedicated team of security experts working tirelessly to identify and address any potential vulnerabilities.
Undoubtedly, this open communication approach aims to foster trust and cooperation between the platform and its users.
So, what are your thoughts on this matter? Let us know in the comments below.
PiunikaWeb started as purely an investigative tech journalism website with main focus on ‘breaking’ or ‘exclusive’ news. In no time, our stories got picked up by the likes of Forbes, Foxnews, Gizmodo, TechCrunch, Engadget, The Verge, Macrumors, and many others. Want to know more about us? Head here.