In online spaces, VTubers have been steadily growing in popularity in the past few years – they are entertainers using motion capture tech to animate a special-sauce 2D or 3D model, typically livestreaming it as their avatar to an audience. The tech in question is pretty fun, lively communities tend to form around the entertainers and artists involved, and there’s loads of room for creativity in the VTuber format; as for viewers, there’s a VTuber for anyone’s taste out there – what’s not to like? On the tech side of making everything work, most creators in the VTubing space currently go with a software suite from a company called Live2D – which is where today’s investigation comes in.
[undeleted] from [Ronsor labs] has dug into reverse-engineering the Live2D core libraries – a tasty target, given that Live2D is known for sending legal threats to even the mildest forays into the inner workings of their software. Typically, such behaviour means that a company has something to hide, and indeed, a peculiar aspect was found immediately – turns out, it’s exceptionally trivial to craft a 3D model file which allows arbitrary code execution. There’s a complete lack of boundary checks of any kind when importing a model, making the import code alone vulnerable to an obscene degree; a ready-to-run proof of concept .moc3 file is provided in a repository, limited to merely crashing the Live2D viewer and any of its integrations.
Now, VTubers typically have to put effort into keeping their anonymity, for either safety or parasocial management reasons, and ..
Support the originator by clicking the read the rest link below.
