Twitch malware spends users' money By Joe Miller

Technology Reporter Published duration 12 September 2014

image copyright Twitch image caption On Twitch, gamers can watch each other play live online

Malicious software spread via chat forums on the video games streaming site Twitch can spend users' money without authorisation, it has emerged.

The Finnish security firm F-Secure said clicking on the malware links also enabled infiltrators to wipe accounts on the gaming shop, Steam.

Twitch is advising users not to use links from unknown sources.

The site, which was recently bought by Amazon for $970m (£597m) has more than 55 million unique monthly viewers.

image copyright F-Secure image caption The malware woos users with the promise of prizes

The vulnerability originates from an automated account which, according to F-Secure, "bombards channels and invites viewers to participate in a weekly raffle for a chance to win things such as 'Counter-Strike: Global Offensive' items".

If viewers take the bait, they are invited to fill in their name and email address which then allows the malicious software to gain control, allowing it to:

Take screenshots

Add new friends in Steam (a gaming shop and community commonly linked to Twitch accounts)

Accept pending friend requests in Steam

Initiate trading with new friends in Steam

Buy items, if user has money

Send a trade offer

Accept pending trade transactions

A spokesman for Twitch told the BBC that the vulnerability was the "first instance" he had seen, but that the site would "remind our community about not clicking on links from unknown sources just like they wouldn't on other social media sites".

He added: "Please note that we give all broadcasters the option to disable links in their chat which can easily prevent this."

Update: On Saturday, a spokesman said Twitch had only received two reports of the malware attack, and had blocked the link.