Catégorie :

OSINT

OSINT on Twitch

Twitch can be an awesome source of information when doing OSINT researchs. Especially if the target is in link with the streaming (streamer or viewer).

Here is how the article is built:

  1. Channel:
  2. Chat:
  3. Categories:
  4. Livestream:
  5. Past broadcasts
  6. Clips
  7. Followers
  8. Bots
  9. Overall stats
  10. Twitch API
  11. Links / resources

All of these pieces of information aren’t always available depending on the data provided by users.

Some information found in certain sections may look redundant because they are used in multiple ones.

Twitch OSINT attack surface (inspired by https://github.com/sinwindie):

1) Channel

Every user on the platform has a channel. There is no technical difference between a viewer and a streamer, the account type is the same and a viewer can start a stream at any moment. When a streamer finishes the livestream he/she becomes a basic viewer.

During this article I’ll alternatively use “channel” and “user” but they are the same.

There are a lot of information we can find on channels. We’ll look at them below.

ID

To access a user profile the URL is always the same: https://www.twitch.tv/USERNAME

Be careful though, a user can change his username at any time (not really but we’ll see this below). In this case it will be more difficult to find him again. The solution is to keep his ID, which never changes.

The ID can be found using

If we have only the ID, sometimes on Google we can find the associated username with a simple request: "<ID>" twitch.

We can also view the account creation date with most of the websites related to Twitch stats (we will see them later in this article).

Here is an example with the Twitch streamer “Pokimane” using the website https://twitchinsights.net/checkuser:

Another way to find these pieces of information about an account is to use the API: https://api.ivr.fi/twitch/resolve/USER

Username

A user on Twitch can be identified by his username which is unique at time t (two users cannot have the same). But, as said in the previous part, a username that can be changed is not the most reliable element to track user’s activities.

From the Twitch FAQ and different searchs here are some statements to know about usernames:

  1. Username can be changed only once every 60 days (even when the account has just been created).
  2. After username change, the original name will not become available again for at least 6 months.
  3. Usernames may be freed up for re-registration, without notice, if they are no longer active, meaning, there is no viewing or login activity associated with the account for at least 12 months.
  4. Inactive usernames will be recycled periodically and made available for new users and renames.
  5. After a deletion or rename, the old username will be recycled. It will take a minimum of 6 months for this process, eventually that username will be added to the pool of available usernames.

The username can be found in different locations:

Sometimes you will see usernames written in Japanese or in another language as shown in the screenshot below:

This is related to localized display names. You can find more information on the Twitch blog post: https://blog.twitch.tv/fr-fr/2016/08/22/localized-display-names-e00ee8d3250a/

If you want to get more information about the username policy: https://safety.twitch.tv/s/article/Usernames?language=en_US

Profile picture

The profile picture can be found on the user’s profile and can be used to perform reverse image search and identify other places where this image has been used.

The profile picture can be opened by right clicking on the profile and “Open image in a new tab”. By default, the profile picture size is 70x70 but we can directly change the size in the URL to 300x300 or 600x600.

For Pokimane, the URL is https://static-cdn.jtvnw.net/jtv_user_pictures/6cd4de40-1a83-46c7-aea5-3bd73f90e7e4-profile_image-70x70.png for the default size.

We can replace it with https://static-cdn.jtvnw.net/jtv_user_pictures/6cd4de40-1a83-46c7-aea5-3bd73f90e7e4-profile_image-600x600.png :

It can also be found using the Twitch API: https://api.ivr.fi/twitch/resolve/USER

Social Networks

It is common for a streamer to add the related social media links/usernames. This could be done either in the “About” section of the channel or directly in the livestream.

Coupled with past broadcasts, we can potentially find if the streamer changed the accounts or has multiple ones.

Offline screen

This is the screen when the streamer is not livestreaming. Often, social networks are displayed on screen.

If the streamer is hosting someone else, then the offline screen is not showing.

Bio / About

The bio is a small description of the streamer with, sometimes, relevant information such as social networks or other links.

The about section allows the streamer to add panels with custom text, images and links. It is used by most of the streamers to specify their PC configuration, merch and so on.

The about section is available at https://www.twitch.tv/USER/about

In blue the description / bio. In green, the social networks.

Below are the different panels with more information on the streamer’s activities:

Planning / Schedule

Its a schedule of the future streams for a specific streamer. It can be found on every channel but sometimes is empty if the streamers does not fill in it.

It is accessible at https://www.twitch.tv/USER/schedule

The history of scheduled streams is only two months ago.

It also gives us information when the last stream took place.

It seems like there is no tool or website to save the plannings. One solution would be to use the Wayback Machine and save manually the channels you want.

Another one would be to use a script to automatically save it localy by requesting the Twitch API. This is what I've done with a script named Twitch Schedule.

The schedules are saved as iCalendar and can be viewed either using an online viewer such as https://larrybolt.github.io/online-ics-feed-viewer or simply by importing it into Outlook, Google Agenda or the Windows Calendar application.

Outlook

In Outlook, go to the calendar and click “Add new calendar”:

Then, “Load from a file” and “Browse” to load the desired iCalendar file on the computer:

Google Agenda

Go to parameters:

Import and browse the iCalendar:

Windows Calendar

Simply right click on the iCalendar file and “Open With” -> Select “Calendar”.

Team

A user can be a part of a team. This is a group created to regroup multiple users for an event or simply streamers that have common interests.

A team information can be access at https://www.twitch.tv/team/TEAM_NAME

Here is an example of a team of french streamers:

Websites such as https://twitchstats.net/teams and https://sullygnome.com/teams let you search and view details of active and previous members with stats.

Ban

A channel can be temporary or indefinite banned if it doesn’t follow the Twitch Terms of Service (ToS, available here: https://www.twitch.tv/p/en/legal/terms-of-service/). A channel that is banned is no longer accessible during the ban time.

We can check if a channel is banned with different methods:

2) Chat

The chat is one of the most important element when doing OSINT on Twitch because it allows us to see the interactions the target could have with the streamer or other users.

The chat is always activated and accessible even if the streamer is not live. It can also be watched in read-only for past broadcasts.

The Twitch chat uses IRC to communicate between the users. This facilitates us the information gathering. We can either create a custom script to connect to the wanted IRC channel and collect all messages in real time or use one of the multiple tools that already do that for us, such as https://github.com/xenova/chat-downloader.

Emotes

There are global and custom emotes to use on Twitch chats. Some emotes require a specific plugin to be able to see them (FrankerZ, BetterTTV, …) and some emotes are only available for subscribers.

Emotes can give information about a specific event or be related to other streamer.

We can view all the emotes with https://twitchemotes.com

@CommanderRoot created an awesome tool to search an emote based on another one. It compares both the emotes and checks if they are differents or not: https://twitch-tools.rootonline.de/emotes_content_id.php

This is useful to check if an emote has been stolen.

Messages

As said previously, all messages can be recorded in real time for further analysis. For some channels a tool available here https://logs.ivr.fi allows us to view all messages from users (including past messages).

If you want to setup your own logs server you can use the same Github as https://logs.ivr.fi uses: https://github.com/gempir/justlog (you must have docker installed).

Another tool also exists but we wont talk about it in this article: https://overrustlelogs.net

Justlog tutorial

Here is a small tutorial to setup, customize and use this project. Warning! This project only allows you to view messages of one person at a time, not the chat in its globality. To do that you can use the tool we mentioned just above https://github.com/xenova/chat-downloader.

First, you must create a new application to obtain a client id and a client secret. Go to https://dev.twitch.tv and login with the account you want to manage the application.

The account must be protected with 2FA.

Then browse to https://dev.twitch.tv/console/apps/create to create your application.

After you application is created you can manage it and generate your “Client ID” and “Client Secret”.

If you want to use the default settings of the justlog project then you can skip the next sub-section. If you want to customize your application a little bit more, then continue the reading :)

OAuth token

To use your own username on chat you must generate an OAuth access token. To do that you must access to the following URL: https://id.twitch.tv/oauth2/authorize?client_id=CLIENT_ID&redirect_uri=http://localhost&response_type=token&scope=SCOPE

Here is the page we are landing on when browsing the OAuth URL:

After clicking “Authorize” you are redirected to localhost. The only thing we want is the access_token in the URL. Keep it safe for later.

We can then clone the repo, create a new directory in it and modify the configuration file. The following commands are performed on Ubuntu 20.04:

git clone https://github.com/gempir/justlog
cd justlog
mkdir logs
cp config.json.dist config.json
nano config.json

The default configuration file is:

{
	"admins": ["gempir"],
	"logsDirectory": "./logs",
	"adminAPIKey": "noshot",
	"username": "gempbot",
	"oauth": "oauthtokenforchat",
	"botVerified": true,
	"clientID": "mytwitchclientid",
	"clientSecret": "mysecret",
	"logLevel": "info",
	"channels": ["77829817", "11148817"],
	"archive": true
}

As explained on the Github, if you dont want to use an account, the only fields to change are “username” and “channels”.

In the case where you want to use an account:

Once the variables are correct you can run the container:

sudo 
docker run -p 8025:8025 --restart=unless-stopped -v $PWD/config.json:/etc/justlog.json -v $PWD/logs:/logs ghcr.io/gempir/justlog

If everything’s good you must see something like this:

You can now access your web browser to see the captured messages of all users for the selected channels: http://localhost:8025

All the messages are stored in the logs directory.

If you want to update the channels, the only way to do it I found is to modify the config.json file and restart the container.

Here is an example of the web interface with some messages logged:

Depending on the chat permissions, some channels authorize to post links in the chat. Else a bot deletes them.

Viewers list

The list of people viewing the livestream can be shown either directly on Twitch, on top of the chat:

We can then see the moderators, VIPs and viewers. We can even filter a specific user to see if he is currently on the livestream:

We can also use the API to get this information: https://tmi.twitch.tv/group/user/USERNAME/chatters

Bits

Bits are related to Donations because it is a virtual currency we can buy with real one. Once the amount of bits bought, you can choose to “cheer” the number you want on a specific channel with a custom message in the chat. Some streamers activate an alert on screen that shows the name, amount and message of the donator.

Here are the current prices:

Depending on the amount of bits spend on channels, users can get badges.

Badges

Badges are also related to channel emotes because we can find them in front of usernames in the chat. They are awarded either with subscription after a certain period of time, when the user has some permissions/rights in the chat (moderator, VIP, Twitch staff member, etc…) or when some events happened on Twitch.

Here is a Twitch guide that explains what are the main badges and their functions: https://help.twitch.tv/s/article/twitch-chat-badges-guide?language=en_US

Not all badges are listed in the article above, some of them are temporary and we will talk about them in the Predictions section.

You can also find all the globally accessible badges on Twitch on https://twitchinsights.net/badges

There is one combination of badges I’ve never seen on any website explaining badges:

This is the combination of the Moderator badge and the Bot badge:

The weird thing is that he is not considered as a bot by the API:

So there is no reason he has this badge. If you have more information about this, do not hesitate to contact me on Twitter

3) Categories

Categories are games or activities referenced on Twitch. They can be accessed at https://www.twitch.tv/directory.

Tags

Use tags to find more specific live channels or categories. We can only use one filter at a time and we can’t use custom filters. Here is the list of all tags (directories and streams): https://www.twitch.tv/directory/all/tags This can be useful to match only specific themes.

4) Livestream

Title

The title gives us information about the current livestream, sometimes the planning and even some commands available. We’ll see this in another section (Bots) but we are able to list all commands usable on a channel.

An #AD in a title means the broadcaster is currently in a partnership with a company. The livestream is sponsored and it’s indicated with the #AD (Advertisement) tag.

Tags

As for categories, tags are also on channels. There are more tags for livestreams than for categories. The behaviour is the same as for categories (only one tag at a time, etc…).

Here is an example of default rewards we can get:

Channel points

This is a virtual currency that we can get only by viewing a livestream and betting on predictions. This cannot be bought contrary to bits. But, the number of points you earn depends on multiple factors:

Channel points are only available for Affiliates and Partners. Most of the time, streamers set funny actions we can buy with these points.

Here is the dowumentation that shows we can personalize the channel points: https://help.twitch.tv/s/article/channel-points-guide?language=en_US

A certain amount of channel points means the user viewed the livestreams for a long time. Some channels have an extension from https://soundalerts.com/ that allows to see how many channel points viewers have (below the stream or in the “About” section):

Someone developed a tool to calculate how much time it costs to get a certain amount of channel points: https://kleosdc.github.io

Content

Sometimes the better way to find information about someone if viewing its content.

This is more accurate if the streamer is not playing a specific game buther rather browses the Internet, websites or whatever. We can get information about sites the streamer is using, usernames or potential sensitive pieces of information. As shown below, we know this guy has Discord, Spotify, Steam accounts. For Steam we already have it (top right).

Bookmarks can give us a lot of information. We can see the user’s profile picture in a small format but it can confirm later if we found a potential matching Google account:

The following capture could be more problematic if the Google Doc is bad configured and accessible to everyone (+ all the bookmarks):

Donations (sub gifts, bits, money)

Donations are a way to support your favourite streamers. They can be done in different ways, by gifting subscriptions to other viewers, buying bits from Twitch and sending them to a specific streamer or directly make a donation. It is mostly done through streamlabs.com.

If a streamer uses Paypal as a platform to receive donations and if he/she uses a personal account then it is possible to retrieve some private information about that person (https://www.reddit.com/r/Twitch/comments/viiqmj/donations_through_streamlabs_and_paypal_revealing/).

Donators are generally shown in stream with an alert and the amount donated. Sometimes the best donator is also specified somewhere on stream (near the top/bottom of the screen or camera).

The Twitch gifts are made using the list of current users (we can see them in the right of the stream top icone in chat and change to viewers.) but this functionnality is bugged, in a way that even if you neved went on a specific channel, someone can randomly gift you a sub on this same channel:

Subscriptions

The subscription is another method to help the streamer instead of directly giving money to him/her. You buy a subscription to his channel. There are 3 different tiers with different prices.

With subscriptions you can get exclusive emotes, you earn more channel points depending on your sub tier (see Channel points)

The number of subscribers for a channel can be found on the famous https://twitchtracker.com but also on https://twitchstats.net/

Careful, not all streamers have the subscribers count listed on these websites.

Subgoals

Sub goals are objectives to reach to unlock an action/event or whatever defined by a streamer. It is set to make your audience interact with you and encourage the community to subscribe and gift subs to reach this goal.

It is not possible to access this data for any of the streamers.

For instance this subgoal bar is proposed by Twitch:

There are also custom subs counters:

Sponsors / Ads

During a live broadcast, streamers often shows their current sponsors on screen. This is the case as seen below with the streamer “Edwin_live” where 4 sponsors are scrolling in an infinite loop:

These pieces of information could be used to track all the sponsors the streamer has had.

Raid

A raid redirects all viewers of the current live broadcast to the desired live channel. It means the URL changes to the raided channel.

Host

Contrary to a raid, the host is a feature allowing a channel’s livestream on our own channel page without being redirected to the hosted streamer. It means we can view someone else’s livestream and continue interacting in the chat on the hosting channel.

Here is an article explaining better the differences, pros and cons of both of these features: https://streamersplaybook.com/difference-between-raid-and-host-on-twitch-what-to-know/

Uptime

This is the time since the stream has started. It is visible on all current livestreams. Some bots have the !uptime command to tell for how much time the streamer is currently online.

For past broadcasts it is not possible to directly see when the stream started. We have the duration of the VOD but not the starting hour. Websites like https://twitchtracker.com indexes past streams with time of beginning and time of ending.

The maximum broadcast length is a consecutive 48 hours (https://help.twitch.tv/s/article/broadcast-guidelines?language=en_US).

Depending on how the bots are configured, some more information could be found such as the number of messages sent since the beginning of the livestream:

Alerts

Alerts are popup appearing on screen when an action is triggered. This could be a subscription, a sub gift, a donation, a cheer (with bits), a host, a raid, etc…

Here are some examples of what an alert could look like:

Social Networks

We already discussed social network in Social Networks but this time it concerns social network directly visible on livestreams (it happens more rarely).

In the decor of “Nilojeda”:

The Twitch logo with the name below tells us another channel name: “IlloJuan”. He is also another spanish speaking streamer. We can assume these two people know each other and maybe even share the same studio to record videos or to stream.

Sometimes social networks are scrolling on the screen as shown with the french streamer “Gom4rt”:

Another example with all social networks in the same scene:

Squad stream

When multiple streamers want to form a temporary group they can create a squad stream. A maximum of 4 streamers can be in a squad stream. The can also be searched in the “Live Channels” listing:

Here is an example of a streamer who is in a stream squad: When clicking on the “Watch in Squad mode” button we’re redirected to https://www.twitch.tv/USER/squad with the POV of all other streamers in the same squad mode:

We can click on the different POV to switch the focus and the chat.

This can be used as a pivot to find other streamers in link with our target.

Video Stats

Advanced statistics are accessible on every videos (livestreams, past broadcasts, clips):

Viewers bot

Having a lot of viewers doesn’t mean the streamer is known. It could be a host, raid or simply fake viewers (bots). Some websites sell bots to go on streams and increase the number of viewers. This technique is totally forbidden by the Twitch ToS and may result in a ban.

For the purpose of this article, I bought 100 live views for 10 minutes at 3 dollars, to see if it was working. I won’t give the name of the website but you should find it easily.

Of course we can pay with crypto currency and we have a reduction of 5%! WOW!

After an hour of livestream on Twitch, here is the stream summary:

We are pretty for from the 100 viewers I bought.

With no surprise these kind of websites are scams. Maybe some of them are sometimes working but it is not worth the price.

Here are some bots which were on the chat:

Ban / Timeout

A user can be banned or timed out from a single or multiple channels even if the streamer is not broadcasting. A timeout results in the fact that the user cannot write in the chat for a specified duration (for instance, 600 seconds).

A timeout looks like this:

The viewer can still see the chat but cannot write in it for the duration of the timeout.

A ban is more punitive because it is for an indefinite period of time and it can only be cancelled manually. Moreover, it is no more possible to see the messages in the chat:

As mentionned in the screenshot, a user can ask to be unbanned. The moderators and broadcaster can, then choose to keep the user banned or unban him/her.

A ban is stronger than a timeout. If a user is timeout for 5 minutes, banned after 60 seconds and directly unbanned, he could speak again in the chat.

Predictions

Predictions are related to channel points. Broadcaster and moderators can create predictions. This is a kind of bet with a question and multiple possible outcomes. Then the viewers choose the answer they want with the amount to bet on the desired one. A viewer cannot choose multiple answers on a prediction and cannot change them.

At the end of the time to predict, the prediction is locked and the streamer or moderators choose the correct answer and distribute the points between the different viewers that bet on the correct answer.

In the sub section Badges we talked about special badges that are temporary. This is the case for predictions. Indeed, all viewers who bet receive a temporary badge corresponding to their answer. If someone chooses the answer 1 then he will get the following badge:

Same for the other team:

It is also possible to specify more than two answers (up to 10). In this case, the corresponding badges are set.

To get more information about the predictions you can access the official Twitch article: https://help.twitch.tv/s/article/channel-points-predictions?language=en_US

Polls

Polls look like predictions but without the need to bet channel points. This is only to ask the chat about something.

Here again, there is an awesome official article made by Twitch to explain what are polls and how they work: https://help.twitch.tv/s/article/how-to-use-polls?language=en_US

Drops

Drops are presents that you can win by viewing specific livestreams for a determined period of time. This is often done when a new event takes place in a game or when a new game is released.

Most of the time you can win limited items in-game.

More information about drops here: https://dev.twitch.tv/docs/drops

5) Past broadcasts

Any streamer can choose to let the past broadcast online or not. In the first case, either the broadcast is available to anyone or only to subscribers. If it is for everyone, then the messages are also visible with the timecode corresponding to the video. With tools such as streamlink, it is possible to record the livestream and have a copy of it locally, even if the streamer deletes the past broadcast or if this one is no more accessible.

The past broadcasts are only available for 14 days for basic users and 60 days for Twitch Partners, Prime and Twitch Turbo users (https://help.twitch.tv/s/article/video-on-demand?language=en_US)

During past broadcasts the Chat is also accessible and we can perform the same actions as if it was in a basic livestream.

The tool used to record the chat of a livestream in real time works on past broadcasts too (https://github.com/xenova/chat-downloader)

6) Clips

Clips are moments / small videos of 1 minute maximum taken from a past broadcast or livestream. To create clip, click on the bottom right of the screen:

We’re then redirected to another page to “customize” the clip:

There is a timeline (yellow) to modify the duration (from 5 seconds to a minute) of the clip and the selected moment (we can go back to 1 minute 30 seconds before the clip button was clicked).

Warning! Even if the “publish” button is not pressed, the clip is created and can be accessed by the channel’s owner.

A streamer can choose to deactivate the clips.

I don’t have the information about how long a clip can be accessed through Twitch. But I’ve seen clips older than 4 years.

As for past broadcasts, clips have the twitch chat available. If a clip is old and the past broadcast related to it is no more available then you will have this message:

7) Followers

All the users following a single or multiple channels are visible and accessible. There is no way to hide this information.

We can access them through multiple websites or the Twitch API. Directly by contacting the API (https://dev.twitch.tv/docs/api/reference/#get-users-follows)

Or through some websites that propose this graphical service:

From there we could potentially find the kind of streamers or games the user plays. For instance, knowing the target follows a lot of League Of Legends streamers could give us the idea to look on websites such as op.gg to investigate further.

Another good indicator is the streamers the target is following. We can capture the chat messages of live streaming and dig into messages of past broadcast searching for our target interactions. But we will see this in another section.

Overlapping communities

It is rare that a user is only viewing one streamer. Overlapping communities are users that view multiple channels/streamers. They can be identified with https://stats.roki.sh/.

If two streamers generally stream together or have interaction between them, it is highly possible that the two communities are close.

This is a good complement with the “Following channel” technique we see previously because sometimes users may view streamers they are not following.

8) Bots

Commands

Sometimes bots can give a lot of information concerning commands and old ones.

Here are some URLs used by the most known Twitch bots to list the available commands:

StreamElements has also stats about the chat (total messages, top chatters, top Twitch emotes, top commands, etc…) for channels using the StreamElements bot: https://stats.streamelements.com/c/USER

Wizebot has also a leaderboard of uptime, messages count and subs by viewer.

To check what bot is used on a channel, we can either check all above bots with the target username or directly going on the target channel in the viewer list (see Viewers list).

If a bot is present on a livestream but is not as known as other ones, we can search on this website: https://twitchbots.info/. Maybe it is based on a known bot. Sometimes bots are renamed but are the same as others. If the bot isn’t listed on the website you can submit a record for the bot.

For instance, the bot on BagheraJones’ channel is named “kikettebot”:

When we try to get more information about the available commands by typing “!commands” in the chat:

It says: “There are never enough commands!”

We’ll search for it on https://twitchbots.info/:

The bot type is Wizebot. We can know use https://bagherajones.streaming.lv/?commands to get more information about the available commands:

The only command we see is “!perche”. A message says we must be connected to see the commands related to our permissions. That means some commands are only available internally or for specific roles. But on the right, we have a lot of words that seem to be categories for commands. Even if it is not possible to see the detail of those commands, we can guess what kind of commands this could be.

Sometimes it is hard to identify bots even with the technique above. When bots are configured with default settings it is possible to identify them in a pretty easy way.

For instance, if the bot is sending this kind of message with this format this is likely Wizebot:

Same with the number of new followers:

Same again with the timeout in seconds specified at the end of some commands

Announcements

When subs are gifted, a user subscribes, a user follows, etc… a bot can send a message on the chat:

X minutes the bot can send messages defined by the streamer to announce the social networks or stuff like that. If we go back on our previous example with “Kikettebot”:

It says: “List of commands to react”. Thanks to this message we were able to find more commands that were not visible through the Wizebot panel.

Bots and moderators can also choose to highlight a specified message in the chat as an annoucement:

9) Overall stats

During this article we focused on specific elements to perform OSINT investigation on Twitch but there are also a lot of other amazing resources to get statistics. You should have a look to them:

With Streams Charts we can also see the audience overlapping but we don’t have all the stats because its only available to PRO (with a subscription). It is also the only website I found that shows achivements for channels. Even if they are not very accurate it gives us an idea about them. This is an awesome website to explore and the free part of it can still be useful.

An awesome tool made by @CommanderRoot allows you to search channels using filters such as minimum viewers, maximum viewers, broadcaster language, title, etc…: https://twitch-tools.rootonline.de/channel_previews.php

10) Twitch API

Here are some information to know about the Twitch API:

You can get more information about the API here: https://dev.twitch.tv/docs/api/

11) Links/resources:

Special thanks

Thank you for reading this article. Do no hesitate to contact me on Twitter if something is wrong or if you want to improve this article.

Thanks to @cyb_detective for his awesome thread (https://twitter.com/cyb_detective/status/1489731971978776590)