Twitch users have been hit by malware that masquerades as a competition prize and has the power to drain all funds and items from a user’s Steam account.
Finnish security company F-Secure discovered the problem that has succeeded in draining the accounts of users on the Steam retail site and can also initiate trades with any new friends on Steam, which the malware allows it to add.
The vulnerability comes from a Twitch-bot that has been bombarding chat channels by inviting users to take part in a weekly raffle that offers the chance to win prizes to use on the Counter-Strike: Global Offensive game, including two M9 Bayonet knives.
When users click the link it takes them to a Java program that requests the participant’s name, email address and then permission to publish the user’s name, should they win the competition.
Once the competition has been entered a confirmation message appears, reading: “Congratulations, you have joined this week’s raffle. We will contact you by e-mail if you win!”
Right after the message appears, the malicious software is then able to perform a variety of tasks, including the ability to:
- Take screenshots
- Add new friends in Steam
- Accept pending friend requests in Steam
- Initiate trading with new friends in Steam
- Buy items, if user has money
- Send a trade offer
- Accept pending trade transactions
- Sell items with a discount in the market
A Twitch spokesmen spoke to the BBC and stated that the vulnerability was the “first instance” he had seen and the site wanted to "remind our community about not clicking on links from unknown sources just like they wouldn't on other social media sites".
Amazon bought Twitch for a huge £585 million just last month after Google had been rumoured for some time to be eyeing it up and it has 55 unique monthly views for its service that allows users to watch other people play video games.