Live2D: Silently Subverting Threat Models

Screenshot of ImHex hex editor, with the MOC3 file structure being reverse-engineered inside of it

In online spaces, VTubers have been steadily growing in popularity in the past few years – they are entertainers using motion capture tech to animate a special-sauce 2D or 3D model, typically livestreaming it as their avatar to an audience. The tech in question is pretty fun, lively communities tend to form around the entertainers and artists involved, and there’s loads of room for creativity in the VTuber format; as for viewers, there’s a VTuber for anyone’s taste out there – what’s not to like? On the tech side of making everything work, most creators in the VTubing space currently go with a software suite from a company called Live2D – which is where today’s investigation comes in.

[undeleted] from [Ronsor labs] has dug into reverse-engineering the Live2D core libraries – a tasty target, given that Live2D is known for sending legal threats to even the mildest forays into the inner workings of their software. Typically, such behaviour means that a company has something to hide, and indeed, a peculiar aspect was found immediately – turns out, it’s exceptionally trivial to craft a 3D model file which allows arbitrary code execution. There’s a complete lack of boundary checks of any kind when importing a model, making the import code alone vulnerable to an obscene degree; a ready-to-run proof of concept .moc3 file is provided in a repository, limited to merely crashing the Live2D viewer and any of its integrations.

Now, VTubers typically have to put effort into keeping their anonymity, for either safety or parasocial management reasons, and with community-related nuances, the threat model can get pretty involved. Ironically, with the way Live2D software is designed, it’s easy for a maliciously-inclined individual to negate all this privacy-keeping effort through a 2D model, something that is a requirement for most VTubers. Hopefully, this has people look towards free and open alternatives like Inochi2D, already in use by creators like that one VTuber hard at work porting Linux to Apple M1/M2 hardware.

10 thoughts on “Live2D: Silently Subverting Threat Models

    1. Well, I watch small ones, techy and non-techy alike, idk what the large ones do. I figure that the larger-scale ones are bound by a certain ruleset socially and financially. just like any other entertainer when they get large enough. The community also gets too noisy over a certain size, so, the ones with small but loyal audiences are a pretty comfortable pick all around.

  1. Strange … Not impressed :) nor understand the mind frame to even ‘follow’ a VTuber or any normal entertainer for that matter — VTuber or not! Must not get outside much .

    However the technology may find a real ‘use’ down the road. Who knows.

    1. For me, it’s firmly on the list of chill ways I could spend an evening – watching something happen as part of a small community, under the guidance of someone who sets out to keep the atmosphere calm and entertaining! Apparently, I still could use some thoughtless distractions every now and then, no matter how much I deny it ;-P

        1. But a virtual public persona is also an effective proof against physical privacy intrusion. e.g. Gorillaz. If you can quite literally control public presentation of the public persona, and the public demand is for the public persona, then the financial incentive for privacy intrusion that drives that intrusion is significantly curtailed. Can’t snap a compromising photo of a public figure if that public figure would have to generate that image for you in the first place.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.