-
Notifications
You must be signed in to change notification settings - Fork 9
DrFujiBot 2.1.0 and New Twitch Account Requirements
As of DrFujiBot 2.1.0, you will need to provide your own Twitch account (your main account or an alt account) for the bot to use for all responses in Twitch chat. The DrFujiBot Twitch account will no longer be available in your Twitch chat.
Since the beginning of DrFujiBot 2.0.0 (released in 2019), the Twitch authorization token for the DrFujiBot Twitch account has been hiding in plain sight inside the DrFujiBot software. This means that anyone can take that token and impersonate DrFujiBot on Twitch, if they know how to find the token. If DrFujiBot is a moderator in a channel, this allows the impersonator to perform any moderator action in that channel, including banning other users.
This is obviously a security concern, but it was a conscious decision on my part, because I wanted to make DrFujiBot as easy to use as possible. It meant that users could have the DrFujiBot Twitch account answer commands in their Twitch chat without any other configuration needed. And it meant that I no longer needed to run a server for DrFujiBot (which is where the token was kept safely in DrFujiBot 1.0). My hope was that no one would go looking for the token, and that no one would abuse it.
In April 2022, a user by the name of Minecool contacted me and rightfully brought this security concern to my attention. I asked if they had seen any abuse, to which they replied no. I contacted a few streamers to let them know that having DrFujiBot as a moderator could present a risk, and took no further action. After some time passed, Minecool wrote their own Twitch bot to impersonate DrFujiBot and demonstrated the risks in channels where DrFujiBot was a moderator by having their bot (acting as DrFujiBot) ban another Twitch account. This caused several streamers to be concerned, some of which contacted me directly about the problem.
Now that the cat is out of the bag, I no longer believe that it's safe to leave DrFujiBot's Twitch token hidden inside the software. That is why I am now requiring that users of DrFujiBot provide their own Twitch account, and can no longer use the DrFujiBot account. The DrFujiBot token has been revoked, so that it cannot be used by anyone.
I apologize to anyone directly affected by this security issue for stress caused, and I hope that you will continue to use the software in the future, if you so choose.
Log in to any new or existing Twitch account at https://twitch.tv that you want the bot to run as. Download and run the DrFujiBot 2.1.1 installer. Once installation completes, follow the instructions on the main page of the administration website to complete authorization of your Twitch account.
Yes, it will only be stored locally on your computer, and it will not be shared with other uses of DrFujiBot or myself.
Yes, because no one else will have access to your token or be able to impersonate your account, unless you specifically share the token with someone.
Because even without moderator powers, someone could abuse the DrFujiBot account by posting messages in Twitch chat that are against Twitch terms of service, and get the DrFujiBot account banned, at which point no one could use DrFujiBot's account.
Jan pays someone to maintain a server that hosts a special version of DrFujiBot instead of running it on his own computer. This allows all of Jan's moderators to access the shared dashboard and configuration. Since his Twitch channel is large and I've known him for a long time, I'm happy to allow him to continue to use DrFujiBot with a new token that is kept safe on his server.
Yes, you can host your own server and go through all the extra steps if you want to. No, you can't use the DrFujiBot account, because I can't trust random people on the internet with the token.
I could add encryption, but the encryption key will still need to exist somewhere accessible, and the token will still be decrypted and used at some point on your computer. If you're smart enough, you can always figure out where the token is hiding. I could store the token on a server and have users request it, instead of storing the token locally on the user's computer, but again, the token will be visible somewhere at some point on your computer and could be intercepted. Microsoft's Trusted Platform Module technology would be able to safely store a token, but not everyone's computer has that technology, and it would be a lot of work to implement. The bottom line is, a token is never safe when it's on someone's computer. I don't want to play the cat-and-mouse game of hide-the-token, only to have to hide it better each time someone finds it.
Because I would rather not, and because I don't have spare time to maintain it. The whole reason for the DrFujiBot 2.0 re-write was to get away from hosting servers for people.
Sure, you can reach out to me on Twitter at https://twitter.com/drfujibot