Online music platform SoundCloud, which can be thought of as an audio-based YouTube for music creators, has addressed several security bugs in its APIs that could lead to denial-of-service (DoS) or account takeover via credential-stuffing.
SoundCloud recently sold a $75 million stake to satellite radio giant SiriusXM and the two also inked a lucrative ad deal. SoundCloud claims to host 200 million different music tracks on its online platform.
According to researcher Paulo Silva of Checkmarx Security Research, three different groups of security vulnerabilities were found in the platform: A authentication issue which could lead to account takeover; a rate-limiting bug that could lead to DoS; and an improper input validation.
The broken authentication issue has to do with not having a set number of login tries before locking someone out of the account – which opens the door to unlimited brute-force attacks from cybercriminals trying to guess passwords.
“The /sign-in/password endpoint of api-v2.soundcloud.com does not implement proper account lockout based on failed authentication attempts,” according to Silva, in an analysis posted Tuesday. “It solely relies on rate limiting which can be evaded using several combinations of use_agent, device_id and signature.”
That means that credential stuffing — the automated process of verifying that breached pairs of usernames and passwords work for not only the services that they originated from, but also other services — could have become a real issue. Digital Shadows recently pointed out that the market for credential stuffing software and services is thriving thanks in large part to an epidemic of breaches of usernames and passwords.
Checkmarx also found a related user enumeration weakness that could be used to verify valid user account IDs as well, making it even easier to hack accounts. An attacker can exploit this to guess account names and then probe whether or not they actually exist.
“Both /sign-in/identifier and /users/password_reset endpoints of api-v2.soundcloud.com can be used to enumerate user accounts,” explained the firm. “In both cases, the endpoints provide different responses depending on whether the requested user account identifier exists or not.”
The rate-limiting issue meanwhile has to do with SoundCloud not limiting how many song results can be retrieved in certain searchers.
For instance, the /me/play-history/tracks API endpoint, which allows users to view recently played songs, doesn’t enforce rate limiting. Thus, an attacker can send a large number of POST requests from a single machine/IP address, or can use a high-volume GET request to return hundreds of tracks at once. This can not only potentially overwhelm the API if several of these are sent at the same time, but it could also be used to artificially inflate the statistics for demand for certain tracks or artists.
“The lack of rate limiting may compromise the system availability, making it vulnerable to DoS attacks,” according to Checkmarx. “From a business perspective, not limiting the amount of requests to this endpoint may compromise the data integrity, since it may create biased tracks-statistics.”
A related issue has to do with the /tracks endpoint of api-v2.soundcloud.com, which Silva said does not implement proper resources limiting – also potentially leading to DoS.
“Since no validation is performed regarding the number of tracks IDs in the ids list, it is possible to manipulate the list to retrieve an arbitrary number of tracks in a single request,” he said, adding that in testing, researchers were able to retrieve up to 689 tracks in a single request.
“Using a specially crafted list of track IDs to maximize the response size, and issuing requests from several sources at the same time to deplete resources in the application layer, will make the target’s system services unavailable,” Silva explained.
The improper input validation issue meanwhile would allow the attacker to use extra-long character strings when filling in the description, title and genre forms while uploading songs, according to the research. An exploit could make use of this to carry out cross-site scripting attacks or SQL injection.
“The /tracks/{track_urn} endpoint of api-v2.soundcloud.com does not properly validate and enforce the length of [these] properties,” Silva explained. “Issuing requests directly to the API server puts the attacker in control of an additional 61960 bytes (total of 66160 bytes).”
For its part, SoundCloud promptly fixed the problem and sent out a statement: “At SoundCloud, the security of our users’ accounts is extremely important to us. We are always looking for ways to enhance the security of our platform for our users. We appreciate Checkmarx reaching out to discuss their findings.”
Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.
