steveseguin
"Caption Ghosts": Captions unintentionally shared with other users
Hello, I think I just found a weird bug thanks to a streamer who used and experienced this, and they dubbed it "Caption Ghosts". I don't know how frequently it happens but as far as what I can tell from the streamers' VODs, when they enter a Caption Ninja room there may be a chance two unrelated users will share (for lack of a better term) their caption outputs, causing an unintentional (but wholesome so far) overlap. But on a security and privacy standpoint this is something bad.
This was first observed by the VTuber named Crimzon Ruze from hololive production and his fans.
Case 1: Ruze, Trashbaby Aia, and alluringAllegro
It happened during his Minecraft stream (timestamped) on 7 June 2025 17:28 UTC. The streamer used Caption Ninja, and somewhere down the line they are both sharing caption outputs from another streamer named Trashbaby Aia (no stream archive, but they talked about it on another video). Relevant clip showcasing the bug from both sides: https://www.youtube.com/watch?v=B_FYN6Lymlw
Screenshot samples:
| Ruze PoV |
|---|
From this sample, Ruze noticed in the captions that someone said "...dedicated and capable", which he read the captions before it was processed to the output |
Case 2: Ruze and Nerds With Dice
This time it happened recently from both Ruze on YT and Nerds With Dice on Twitch. Ruze streamed Grounded on 21 June 2025 00:25 UTC (timestamped to where he starts speaking) and Nerds With Dice streamed their fundraiser TTRPG session on the same day (timestamped to where Ruze starts streaming while their TTRPG session is underway).
| Ruze PoV | Nerds With Dice PoV |
|---|---|
After playing his intro, on a split-second frame we can see unrelated caption output from someone named Mary. He was surprised to have a Caption Ghost who is doing a TTRPG, to which he is a TTRPG nerd himself |
Said Mary is the DM of their Girl By Moonlight: Revive the Dead City session |
Ruze's first "real" interaction with Nerds With Dice |
They still never noticed |
| For the sake of brevity, I'll skip to the turning point on Nerds With Dice's PoV; you can watch both archives simultaneously to check it on your end | Around 20-25 minutes after Ruze started his stream, Nerds With Dice confirmed that they are using Caption Ninja and had created a new caption room link, hence why the report was made |
I hope you can look into this since I believe it's a huge security and privacy issue.
Thank you kindly for reporting the issue.
@reymarkus , do you know what room name you used? Was a it a custom room name that was used?
I've increased the length of randomly generated string from 7 to 16 characters in length. It should be near impossible to have the same room ID as someone else, but if you manually specify a room ID, such as "test" or "guest1", you will encounter an issue.
I'll try to warn users who select room IDs that are insecure though
To help those who use are using an insecure room ID, I'm now alerting you to this fact when starting the transcribe.
@reymarkus , do you know what room name you used? Was a it a custom room name that was used?
Haven't tested this on my end actually, but the streamer on the first case did say that they were given a unique URL, so I assume a normal room
@reymarkus I'd have to trust that they used a secure room name, and not something like test123. The code I put in place should prevent that though going forward.
However, if they were "given" a link by another person, and they didn't change the room ID of the link they were given, they would then be sharing it with other people who used that same link. If this was the circumstance, it does get a bit more complex from a UX perspective. I can try to find a way to account for this situation, however confirmation that this was the cause would save me some grief in adding additional user friction needlessly.
Either way, I very much appreciate the report.