In online spaces, VTubers have been steadily growing in popularity in the past few years – they are entertainers using motion capture tech to animate a special-sauce 2D or 3D model, typically livestreaming it as their avatar to an audience. The tech in question is pretty fun, lively communities tend to form around the entertainers and artists involved, and there’s loads of room for creativity in the VTuber format; as for viewers, there’s a VTuber for anyone’s taste out there – what’s not to like? On the tech side of making everything work, most creators in the VTubing space currently go with a software suite from a company called Live2D – which is where today’s investigation comes in.
[undeleted] from [Ronsor labs] has dug into reverse-engineering the Live2D core libraries – a tasty target, given that Live2D is known for sending legal threats to even the mildest forays into the inner workings of their software. Typically, such behaviour means that a company has something to hide, and indeed, a peculiar aspect was found immediately – turns out, it’s exceptionally trivial to craft a 3D model file which allows arbitrary code execution. There’s a complete lack of boundary checks of any kind when importing a model, making the import code alone vulnerable to an obscene degree; a ready-to-run proof of concept.moc3
file is provided in a repository, limited to merely crashing the Live2D viewer and any of its integrations.
Now, VTubers typically have to put effort into keeping their anonymity, for either safety or parasocial management reasons, and with community-related nuances, the threat model can get pretty involved. Ironically, with the way Live2D software is designed, it’s easy for a maliciously-inclined individual to negate all this privacy-keeping effort through a 2D model, something that is a requirement for most VTubers. Hopefully, this has people look towards free and open alternatives like Inochi2D, already in use by creators like that one VTuber hard at work porting Linux to Apple M1/M2 hardware.