As I said there is no ill intent and at some point it will be fixed. Luckily this project is Opensource so, please if you have the time work on a pull request and I'll review the code. Realistically, if we were bad actors all we could do with your user id and IP is send denial of service attacks or attempt some sort of social engineering attack against your ISP. On top of that you can not pull any information from the Twitch API endpoints that anybody else on the platform couldn't. An IP address is not anywhere close to a geographic location and by itself don't serve as grounds for user identification. That seems a little outlandish and you are blowing the severity of this a bit out of proportion. I personally don't agree with " A user id linked to a Twitch account and dedicated IP, would essentially give you that streamers address.". That is correct we do not collect any personally identifying information, collecting such data would imply storing that information in a collection. Yes I'm referring to that privacy policy. I can see how seeing your User ID is scary, but rest assured we are not storing it or passing it along in our proxied request. I personally don't have time to refactor the server and plugin currently, but I can put that on our roadmap as a feature. We pass your non-identifying arguments as part of the proxied request ie: fast_bread, supported_codecs, etc.easier to just pull all query parameters.It was implemented this way for a couple of reasons: Once again this data is not stored and is not sent as part of the proxied request. Once the handler call is complete your request falls out of scope and in turn, any identifying information in memory is gone. Depending on where you are located you will be hitting a server in new york or Germany where your request is parsed and then proxied. The endpoint you are hitting is also not some random proxy in Russia. As per our privacy policy, we are not storing your twitch user ids or IP from the request. I just want to clear up any confusion on this topic. If you could make it so that only the channel name or vod is is sent, that would fix it. Tested this myself and it does leak that information. This does not apply to Purple Ad-Block, which only sends the channel name." Not trying to scare people away as I'm sure it was just easier for them to implement it this way but still, it is a security risk. Hopefully the devs will remove this information from it's extension, as it shouldn't be needed. For obvious reasons this could be a problem. The extension currently leaks your Twitch user ID and personal IP to their Russian proxy. "Just a warning to those using TTV LOL, especially if you are a streamer.
2 Comments
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |