A blog post by Maia Arson Crimew, a Swiss hacker claims that Kick.com has huge security and privacy concerns.

In this piece, there are mainly three accusations being made: chat message fabrication, arbitrary file write/XSS and arbitrary file read/improper aws access control.

Let’s briefly see what each one these means

First, chat message fabrication:

Kick chat message fabrication
Source

As stated in the blog, they discovered that when pinning a message, the entire message metadata is sent along with it.

Consequently, this enables any user to impersonate any other chat member.

Second, arbitrary file write/XSS:

In their view, Kick used Laravel’s Vapor upload system in an incorrect manner.

Kick arbitrary file write
Source

This misconfiguration granted unauthorized users complete control over the content type and file extension during the uploading process, which means they could upload files other than just images, example malwares.

In fact what made the situation even more concerning was that these uploaded files were hosted on a domain that was relevant to all cookies set by Kick.com.

This essentially means that any cookies stored by Kick.com were accessible to this domain where the files were hosted.

As a result, this potentially exposes sensitive user data or authentication tokens.

Third, arbitrary file read/improper aws access control:

Kick improper aws access control
Source

Creators and viewers reaction

As the article gains traction on social media platforms and discussion forums, users are voicing their worries and anxieties regarding the security of their personal information on Kick.com (1,2,3,4,5).

Kick.com security concerns
Source

As you know, preserving online security is paramount in building and retaining user trust. Any hint of data breaches or compromised privacy can profoundly affect users confidence in the platform.

Considering that they willingly share personal data, participate in discussions, and engage in various activities on Kick.com, users concerns are absolutely justified.

Therefore, a user has recommended using browsers like Brave and Firefox to access Kick.com to tackle some of these issues.

This is one of the main reasons why I never submitted my personal info to monetize even after becoming affiliated on Kick.
Source

Man this is very disturbing and not good. Looks like YouTube is the safest route to stream these days. Unless you wanna risk everything. At this point twitch might be safer than kick?
Source

Kick.com official response to these security concerns

After growing concerns and fears among its community members, Kick support addressed the issue:

Kick.com support security concerns
Source

The official response also provides reassurance that Kick.com has a dedicated team of security experts working tirelessly to identify and address any potential vulnerabilities.

Undoubtedly, this open communication approach aims to foster trust and cooperation between the platform and its users.

So, what are your thoughts on this matter? Let us know in the comments below.

PiunikaWeb started as purely an investigative tech journalism website with main focus on ‘breaking’ or ‘exclusive’ news. In no time, our stories got picked up by the likes of Forbes, Foxnews, Gizmodo, TechCrunch, Engadget, The Verge, Macrumors, and many others. Want to know more about us? Head here.

Karanjot Sidhu
1024 Posts

A computer science engineer who loves tech and won't stop talking about it. Here at Piunikaweb, I mostly cover Google Pixel deals and how-tos, though you may find me covering Pixel news as well sometimes. Apart from being a nerd, i love gaming and watching movies in my free time.

Next article View Article

[Updated] Venmo down or not working? You're not alone

New updates are being added at the bottom of this story……. Original story (published on August 27, 2018) follows: PayPal owned service Venmo - which lets you make, split, and share...
Sep 15, 2023 3 Min Read