Once believed to be indestructible, big tech companies like LinkedIn, Adobe, and even Facebook have succumbed to data breaches, hacks, and leaks in recent years. The latest of these is the hack of the livestreaming site Twitch.
In October 2021, a hacker anonymously published a large torrent file. This file contained confidential information, such as all of Twitch’s source code and content creator earnings.
Naturally, you may look at the Twitch hack and wonder: If even a big tech firm is vulnerable to cyberattacks, how can I improve my application security to protect against such threats? The solution is simple: effective application security testing.
In this article, we’ll explore the full extent of the Twitch hack and its underlying reasons. In doing so, we will highlight the fatal application security flaw that leads to these cyberattacks and show how you can protect your software against them.
Although the Twitch hack has made headlines worldwide, the full extent of this hack remains unclear. Both the anonymity of the hacker and uncertainty about the size of the breach have made it difficult to assess the scope of the damage.
Before we delve deeper into what we don’t know about the breach, let’s consider what we do know.
In the early hours of October 6, 2021, a user on 4chan, an anonymous imageboard website, published a 125 GB torrent file. The torrent file was titled “Part One,” suggesting it was the first in a series of subsequent leaks, and contained sensitive data leaked from Twitch, an online streaming service and platform.
A few hours after the initial release, Twitch officially confirmed that the 4chan leak was legitimate.
So, what exactly did this massive data breach entail?
The short version is that it was the company’s source code through its near-complete repository and the earnings data of Twitch content creators.
The more detailed version includes the following:
At first glance, users may be relieved to see that the data leak doesn’t contain sensitive user data, such as passwords, phone numbers, or addresses.
However, this password security is far from a certainty; the leaks likely contain user data and passwords in the second part. This part has not been publicly released yet. However, we still recommend changing your Twitch password and enabling two-factor authentication (2FA) if you haven’t already done so.
The impact of the Twitch hack is difficult to assess, as it is primarily focused on leaking company details rather than user account information. At the moment, at least, the goal of the hack appears to be disrupting Twitch’s business more than harming its users.
One thing’s sure, though: this leak has raised alarm bells for several software companies regarding application security testing and quality assurance. After all, if hackers could take down one of the biggest tech companies worldwide, where does that leave smaller companies?
Apart from Twitch itself, the leaks have hurt Twitch content creators the most. To date, Twitch creator earnings, including revenue from subscriptions, advertisements, and viewer donations, have remained mainly confidential. The leak was the first major data breach in which hackers released confidential Twitch earnings details to the public.
Twitch continues to face an issue with income disparity, as the gap between the platform’s top earners and the majority of its streamers, who struggle to earn a living through it, only continues to grow. Leaking creator earnings details highlighted this disparity further and may alienate many of the platform’s users.
In August, the original leaker himself signed off on the leaks, using the hashtag #TwitchDoBetter in response to Twitch hate raids that occurred earlier this year. Unfortunately, it appears that the Twitch brand image has taken a turn for the worse and may take some time to recover in the public eye due to this leak.
So, what exactly went wrong with the Twitch leaks?
While we still don’t know the exact details of the vulnerabilities that the attacker exploited to hack Twitch, the hack appears to be a result of obsolescence.
Obsolescence risk occurs when a software application uses outdated components in its source code. These components can become vulnerabilities that attackers can exploit.
Earlier this year, the Open Web Application Security Project (OWASP) identified obsolescence risk as one of the top cyber threats and application security risks in the OWASP Top 10 2021, a list of the 10 worst cyber threats that web applications face in 2021. The recent Twitch hack indicates that the ranking seems to be reasonably accurate.
Obsolescence in software application security can occur when one or more outdated components are used alongside newer ones, resulting in security holes in the web application. Using unsupported software libraries, discontinued APIs, or outdated Database Management Systems (DBMS) are all risk factors for obsolescence.
In addition to obsolescence risk, another potential risk factor that may have contributed to the Twitch leaks is known as A05 Security Misconfiguration. Inappropriate security hardening and insecure application framework settings are common vulnerabilities that may lead to security misconfiguration exploits.
No matter what the cause was, though, without proper application security testing and DevSecOps integration, there’s no surefire way of knowing what kind of vulnerability a software has and protecting yourself against it.
If you’re still with us, you’re probably already convinced that you’ll need a more reliable approach to software application security testing to protect yourself from such cyberattacks and leaks.
That’s where Kiuwan security solutions come in.
Kiuwan is your all-in-one DevSecOps solution for unparalleled application security testing and software composition analysis. Kiuwan offers an end-to-end application security platform for DevSecOps teams.
Kiuwan’s mission statement is to empower DevSecOps teams to create more secure and robust software safe from cyber threats, vulnerabilities, and exploits.
Kiuwan helps teams build more secure web applications and software with the Static Application Security Testing (SAST) tool and SCA Insights. We’ll briefly review both here to show you how they can help protect you against leaks, such as the recent Twitch hack.
Kiuwan’s SAST is an automated DevSecOps tool for code scanning.
Simply put, SAST helps you build more secure applications by scanning for security flaws in real-time. Rather than manually checking code for vulnerabilities, SAST automates the process for you, scanning your codebase for security flaws. The entire process takes minutes on your local machine.
SAST supports over 30 programming languages, including Python, Swift, and JavaScript. It is also easy to integrate with pre-existing DevSecOps tools, as well as repositories such as GitHub, Bitbucket, and Assembla. SAST code-scanning tools are also available as extensions to your local IDE.
In the event of obsolescence in your code due to the use of vulnerable or outdated code components, SAST will automatically scan your codebase and alert you. This preemptive alert will keep your web application secure from cyberattacks such as the one that targeted Twitch.
What’s more, once you detect any security flaws, you can use SAST to build a custom action response plan to protect your web application against potential cyber threats.
SCA insights scan your static codebase, libraries, and components to help manage your open-source software risk.
If your software contains vulnerabilities due to unverified third-party libraries, SCA insights will alert you to which components are putting your software at risk. Additionally, SCA insights are specifically designed to identify threats from open-source components, thereby reducing the risk of obsolescence.
Kiuwan Insights leverages a collective knowledge base built by experts over the years to keep your software code secure. The tool also automatically tracks application architecture, dependencies, obsolescence risk, and real-time code quality to help teams optimize their code.
Additionally, SCA insights are frictionless; the tool requires minimal setup. Instead, teams can integrate it and use it straight out of the box.
The recent Twitch hack highlights that web application security is a significant concern, and even the most experienced organizations with substantial resources are susceptible to hacks, leaks, and exploits.
To keep your software safe and secure, you need a DevSecOps solution to provide you with the tools and platforms needed to write secure code.
Kiuwan security solutions are your one-stop source for all your web application security needs. Kiuwan SAST and SCA insights are practical tools that can help keep your web application safe from cyber threats with minimal effort.
Whether it’s protecting against obsolescence risk or security misconfigurations, get Kiuwan security solutions today to keep your web applications secure from future cyberattacks.
