Live streaming service Twitch dealt with a major bot attack this week and was forced to block logins from exotic browsers to prevent a threat actor from mass-creating new accounts to be used in future hate raids.
According to a developer who creates Twitch-centered software, more than 4 million new accounts were created over the course of roughly 30 hours between late Sunday and early Tuesday this week.
Since such operations are usually carried out with automated tools like headless browsers, Twitch’s security team initially responded to the attack by blocking all user logins from all browsers except the very most recent versions of Chrome, Firefox, and Edge, on which most of its “legitimate” userbase would likely be using.
“There are organized groups trying to create botnets—bots that end up getting used for hate raids. There was one such mob very active recently,” Tom Verrilli said in a Twitter thread yesterday, trying to explain to users what was happening and why some of them couldn’t log in.
“When that happens, we (1) close whatever hole they found, (2) clean up the bot accounts made. Because (1) takes time, we’re temporarily restricting log-in to certain browsers,” he added.
“I totally appreciate it’s a PITA. […] Unfortunately, this is what the work of making Twitch safe entails. Folks need to use a browser not of their preference today to stop tomorrow’s hate raid.”
In the meantime, the list of supported browsers has been expanded with both Apple Safari and Opera GX, as Twitch’s staff has continued to investigate the root cause of the mass sign-ups and has whitelisted other browsers.
CommanderRoot, the developer who first spotted the bot attack, said that while Twitch failed to detect the attack when it started, the company was quick to intervene and stop it two hours after they first tweeted about it. However, CommanderRoot said that four days after the attack took place, most of the accounts are still not suspended.