Fighting Malicious Bots

Let’s ask the age old question:

How will Glimesh fight against bots committing malicious acts?

But first, let’s break down this topic into more of an Informal Discussion:

Malicious bots such as Impersonators, Scammers, those “wanna be famous?” accounts and Hate Raiding bots are computer coded Bots that are designed and created to Harass, Steal Private Information and hijack innocent Accounts.

These bots have one target and one focus in mind: Streamers, Content Creators and Viewers

Why is this a big deal?

Well, these bots are believed to make easy money by stealing or hijacking Accounts through the use of Malicious API Requests of said Streaming Platforms. They are more focused on committing criminal acts and stealing information such as Credit Cards, Social Security Numbers and ID Numbers.

Types of Malicious Acts:

  • Hate Raids: A form of harassment tactics to spill out a lot of serious and effective slurs and hate messages to force the Streamer to shutdown the stream and call it a Victory. Those are mainly targeted at LGBTQ Streamers, Furries and VTubers.

  • Impersonators: Bots disguised as Verified and Partnered Creators in order to lure or trick the viewer into thinking they won a prize or giveaway with a Phone Number added to the Impersonators’ Username or Display Name, the viewer would then enter the number out of excitement and then get their Private Information stolen.

  • Scammers: This one is simple, Fake or Forged Emails pretending to offer the Creator a Sponsored Deal for a non-existent product or game. This is how some YouTube Channels get their accounts yoinked by having the creator downloading a file in the form of a Virus and then executing it on the spot.

Why should we be prepared for if this happens to us?

As new platforms arise and Partnered Creators chooses to stream to those new Platforms, so will these Malicious Bots. The bots will stop at nothing to complete their Mission and will use any tactic they can to accomplish this.

Let’s take the Games with Anti-Cheat Measures in place as an example:

  • The golden rule of making a Game is: NEVER reveal your protection measures in blog posts, social media posts or Patch/Update Notes, because that is how cheat makers bypass Anti-Cheat measures.

  • Some games like Riot Games’ Valorant FPS Game has a Kernel Based Custom Built Anti-Cheat Software that immediately terminates the match if a Cheater has been detected and prevents other players from receiving Loss Stats.

Conclusion

Glimesh is still in Alpha Stage and we already saw signs of API Abuse throughout the Website with odd accounts repeating sent messages and some posting Real World Addresses without any explanation, which is concerning to say the least.

Please feel free to discuss as well as any criticism about this Topic.

I agree with all that you’ve pointed out and this topic is something we should keep in mind as the platform grows both feature-wise (code) and community-wise (people).

We have an added challenge in that all our code is visible and can be contributed to on Github.

With that said, there are a few things we’re already doing and some things we should consider as we go forward with the design of the site (NOTE: This is not meant as a point-for-point rebuttal to the original post, but rather a means to add to the ongoing conversation):

  1. Be very careful with API keys the system uses to communicate with third parties. Right now, we have measures in place so that it is difficult to accidentally commit api keys to the public repository but we should always remain diligent.
  2. Botting:
    a) View bots – would currently be unlikely to accomplish anything on the site since we don’t rank streams by view count. When planning features for the future, we should strive to continue to make view botting useless.
    b) Spam bots – we are unfortunately susceptible to these today. Perhaps we can investigate flagging all chat messages that originate via the API with a robot icon like Discord? Maybe those messages can be internally identified in such a way that moderators/streamers can block them en masse? Open to discussion on that one.
    c) Hate raids via bots – I don’t forsee a need for Glimesh to expose the raiding functionality to a public API. This feels like something that can be restricted to the website (I realize that means streamers won’t be able to trigger raids via a mobile device). Again thoughts on that are welcome.
    d) Hate raids via humans/embedded streams – we don’t currently have the ability to embed our streams on other websites but it is an important feature that should be looked at for the future. When that time comes, we do need to consider situations where a stream is embedded without the streamer’s knowledge on shady sites as we saw happen with Twitch.
  3. Impersonation/Scamming – I believe there are procedures in place for handling name squatters (and we have a few of those). We also have two factor authorization in place (and seriously, everyone should be using that). Going forward we should also investigate the following:
    a) Sending emails to users whenever information related to their account is updated so if something changes without their knowledge that would be the first clue.
    b) Sending emails whenever we detect a login from an unfamiliar device.
    c) Mobile push authentication – instead of a two-factor code, a push notification is sent to the user’s mobile device that they have to acknowledge.
    d) Communication – if there are known scams/bot attacks occurring on the site, there should be a good way to notify the userbase so they are informed. Perhaps this would be a system message or inbox feature.

Again, these are all suggestions off the top of my head and I’m open to any thoughts.

2 Likes

Well said and well thought out.

There is one big issue though, our 2FA Function seems to not be working well and thus introduces a big security risk.

I am, till this day, unable to enable my 2FA Security and we need to fix that before something bad happens.

Hi MrTee,

Could you drop an email to support@glimesh.tv and explain in detail the actions you are taking to try and set up 2FA? We haven’t had any reports from our users experiencing issues with setting up 2FA. We would be happy to help you get this setup and understand the process.

While we understand your concerns as a risk to you personally, I assure you Glimesh takes security very seriously and 2FA is not a necessary security measure, merely an additional, optional layer of protection that we offer in addition to, not only security measures we have in place but also security measures you can help take to protect your accounts such as making sure not to share your email and password.

If you really do feel this is a major security risk I would ask that you reach out to the security team via support@glimesh.tv regarding this matter, as we have had no reports of 2FA issues from users to date but we will take all reports of security risks seriously should one be brought to our attention via official channels.

Thanks

1 Like

Emailing right now. Thank you Berri.

1 Like