Malicious software spread via chat forums on the video games streaming site Twitch can spend users’ money without authorisation, it has emerged.
The Finnish security firm F-Secure said clicking on the malware links also enabled infiltrators to wipe accounts on the gaming shop, Steam.
Twitch is advising users not to use links from unknown sources.
The site, which was recently bought by Amazon for $970m (£597m) has more than 55 million unique monthly viewers.
The malware woos users with the promise of prizes
The vulnerability originates from an automated account which, according to F-Secure, “bombards channels and invites viewers to participate in a weekly raffle for a chance to win things such as ‘Counter-Strike: Global Offensive’ items”.
If viewers take the bait, they are invited to fill in their name and email address which then allows the malicious software to gain control, allowing it to:
Add new friends in Steam (a gaming shop and community commonly linked to Twitch accounts)
Accept pending friend requests in Steam
Initiate trading with new friends in Steam
Buy items, if user has money
Send a trade offer
Accept pending trade transactions
A spokesman for Twitch told the BBC that the vulnerability was the “first instance” he had seen, but that the site would “remind our community about not clicking on links from unknown sources just like they wouldn’t on other social media sites”.
He added: “Please note that we give all broadcasters the option to disable links in their chat which can easily prevent this.”
More on this story : http://www.bbc.com/news/technology-29177284