Tech

Twitch Featured Clip Auth Bypass

29 September 2025 /

The purpose of featured clips are to allow streamers to select any clip of their own channel and set it as featured on their main video page. As it suggests the streamer themselves hand picked/promoted the clip, there are safety features to stop the clip creator from editing or deleting it once it is featured. And should be strictly restricted to the channel owner and authorized editors only.

Featured Clip Auth Bypass (Medium/High)

I was digging around the clip editing feature on Twitch, curious about the data sent when editing a clip. In the POST request was something that caught my eye, a “shouldFeature” flag amongst the JSON metadata. My hypothesis was that the server might only check if I was authorized to edit the clip’s metadata (as the clip creator), but fail to verify my channel-wide permissions for the feature action.

This proved to be the case, revealing a simple Authorization Bypass/IDOR vulnerability. The system would allow me to save my clip edits, without checking if I was permitted to modify the featured state on the target channel. By intercepting the save request and changing the flag from “shouldFeature”:false to “shouldFeature”:true, I could now force clips on any channel’s featured section.

Impact

Using this method an attacker could create clips across thousands of channels and title them something nefarious, advertise a website, service or potentially virus link. They could then set every clip as featured without any permissions, for them to be displayed across every channels main page. Also implying that the streamer endorses it as it looks like it was them who featured the clip.

Proof of Concept (PoC) Steps

  1. Log in as a regular user (User A) and create a clip in Streamer B’s channel.
  2. Go to the clip editing page for the new clip.
  3. Intercept the POST request sent to the https://gql.twitch.tv/gql endpoint upon saving.
  4. Modify the payload, changing the value for shouldFeature:
    • “shouldFeature”:false -> “shouldFeature”:true
  5. Forward the request.
  6. Result: User A’s clip is immediately featured on Streamer B’s main channel page, with no permissions required.

Status

This was reported via HackerOne and immediately given a High severity. However since downgraded to Medium and fixed. Unfortunately for me Twitch, although owned by Amazon, give nothing for bug bounties, barely even a thanks.

You May Also Like

My Favourite Tools

25 September 2025

Leave a Reply

Your email address will not be published. Required fields are marked *