Latest in Hack

Image credit:

Meerkat is silently fixing a flaw that lets anyone hijack livestreams

Matt Brian, @m4tt
March 19, 2015
Share
Tweet
Share

Sponsored Links

Livestreaming apps aren't new, but few have enjoyed as much notoriety in such a short time as Meerkat. Twitter users have adopted it in droves and the social network even went as far as limiting the app's access to its social graph last week for violating its policies. But as Meerkat continues to enjoy its time in the spotlight, a pretty serious flaw has emerged. One that lets users hijack any stream while it's in progress.

Update: About 24 hours later, Meerkat says it's fixed! Thanks for reading, and hey, drop us a line sometime.

The flaw was discovered by developer Wesley Crozier, who found he could replace the unique streaming ID of any live video with his own feed, thereby hijacking the stream and turning it into his own. Using freely available software, Crozier listened to requests the app made to Meerkat servers and amended them as he liked. The process employs a man in the middle technique, meaning it doesn't require physical access to Meerkat's servers, but instead uses a proxy to amend requests as they pass to and from the app.

By design, Meerkat makes it easy to obtain these unique stream IDs as it sends them inside the app in plaintext and includes them in every Meerkat link (see below). In our tests, Crozier was able to replace my mundane feed with his stream of the Nyan Cat website and snippets of a BBC News report.

Let's be completely clear: Meerkat users' details are secure. In fact, Meerkat has already taken steps to mitigate the issue by changing their server configuration to drop duplicate streams. They can still be hijacked, but as you can see in our demonstration, only temporarily.

It's obvious that with a flaw like this in the wild, some of the more prominent Meerkat users could have their feeds targeted. Just yesterday, Tonight Show host and early tech adopter Jimmy Fallon broadcast his rehearsal on Meerkat, which overloaded the service for a short time. If an attacker knew of the issue, Fallon's feed could have been replaced with something much more nefarious.

It's a problem for Meerkat, but it also opens up a wider conversation about taking rapid prototypes to market. Also that it's insanely hard to get in touch with a company that has no direct form of contact other than Twitter. Though we've not heard from Meerkat directly, in the five hours since the issue was disclosed, we've already seen server-side changes that go someway towards fixing it. Right now, the Meerkat app hasn't been updated to remedy the issue, but it's likely to be patched sometime in the very near future.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

The 2020 Engadget Holiday Gift Guide

The 2020 Engadget Holiday Gift Guide

View
Scientists find neutrinos from star fusion for the first time

Scientists find neutrinos from star fusion for the first time

View
The best Black Friday tech deals that are already available

The best Black Friday tech deals that are already available

View
Apple's Intel-powered MacBook Air falls to $799 ahead of Black Friday

Apple's Intel-powered MacBook Air falls to $799 ahead of Black Friday

View
'Mechwarrior 5' will arrive on Xbox in spring 2021

'Mechwarrior 5' will arrive on Xbox in spring 2021

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr