14 DAY TRIAL // A security researcher poked SoundCloud’s service long enough to discover a cross-site scripting (XSS) vulnerability and a bug that allowed an attacker to deliver a torrent of email messages from the platform, which may cause distress to users.
SoundCloud is a highly popular platform for sharing audio content, enjoyed by at least 175 million users, according to statistics in December 2014.
Abusing the song name field
It appears that the service did not sanitize sufficiently the content received from the users and attacker could input a malicious script in the field for the name of the song. The researcher, going by the name Triponoid, says that this was possible because of a previous, similar flaw.
In a video (embedded below) demonstrating the glitch, he shows how a comment on the track with the malformed name would trigger the XSS bug. Authentication and user interaction is required for the attack to be successful.
Triponoid says that he ran the tests in Internet Explorer 11, Mozilla Firefox and Google Chrome, on systems running Ubuntu and Windows 7.
Flooding user inbox
Another vulnerability reported by the developer refers to directing a deluge of messages to users’ email accounts used for registering to SoundCloud, because the service does not have a limitation for processing incoming messages and sends them all.
The attack consists in flooding the inboxes with password reset requests and it can be carried out automatically via an exploit, as demonstrated by the researcher in a video below the article.
A possible scenario he describes involved sending multiple password reset emails to SoundCloud users. He says that one of the consequences could be marking the messages as spam, although this also depends on the email service used.
However, some users may think that the platform has been hacked or something is terribly wrong with it, given the abnormal amount of password reset messages delivered.
The bugs are far from being critical, but SoundCloud has amassed a large community and the findings of Triponoid may inspire others to go hunting for more serious flaws that could be used for hijacking accounts or delivering malware.
Both glitches have been repaired by SoundCloud.
Stored XSS flaw:
Inbox flooding email:
