Meerkat is silently fixing a flaw that lets anyone hijack livestreams


Livestreaming apps aren't new, but few have enjoyed as much notoriety in such a short time as Meerkat. Twitter users have adopted it in droves and the social network even went as far as limiting the app's access to its social graph last week for violating its policies. But as Meerkat continues to enjoy its time in the spotlight, a pretty serious flaw has emerged. One that lets users hijack any stream while it's in progress.

Update: About 24 hours later, Meerkat says it's fixed! Thanks for reading, and hey, drop us a line sometime.

The flaw was discovered by developer Wesley Crozier, who found he could replace the unique streaming ID of any live video with his own feed, thereby hijacking the stream and turning it into his own. Using freely available software, Crozier listened to requests the app made to Meerkat servers and amended them as he liked. The process employs a man in the middle technique, meaning it doesn't require physical access to Meerkat's servers, but instead uses a proxy to amend requests as they pass to and from the app.

By design, Meerkat makes it easy to obtain these unique stream IDs as it sends them inside the app in plaintext and includes them in every Meerkat link (see below). In our tests, Crozier was able to replace my mundane feed with his stream of the Nyan Cat website and snippets of a BBC News report.

Let's be completely clear: Meerkat users' details are secure. In fact, Meerkat has already taken steps to mitigate the issue by changing their server configuration to drop duplicate streams. They can still be hijacked, but as you can see in our demonstration, only temporarily.

It's obvious that with a flaw like this in the wild, some of the more prominent Meerkat users could have their feeds targeted. Just yesterday, Tonight Show host and early tech adopter Jimmy Fallon broadcast his rehearsal on Meerkat, which overloaded the service for a short time. If an attacker knew of the issue, Fallon's feed could have been replaced with something much more nefarious.

It's a problem for Meerkat, but it also opens up a wider conversation about taking rapid prototypes to market. Also that it's insanely hard to get in touch with a company that has no direct form of contact other than Twitter. Though we've not heard from Meerkat directly, in the five hours since the issue was disclosed, we've already seen server-side changes that go someway towards fixing it. Right now, the Meerkat app hasn't been updated to remedy the issue, but it's likely to be patched sometime in the very near future.