Social audio platform SoundCloud fixed multiple security vulnerabilities affecting its application programming interface (API) that could allow potential attackers to take over accounts, launch denial of service attacks, and exploit the service according to the Checkmarx Security Research team.
SoundCloud is an open audio platform founded in 2007 that provides access to more than "200 million tracks from 25 million creators heard in 190 countries."
It is also "the world’s largest open audio platform, powered by a connected community of creators, listeners, and curators on the pulse of what's new, now and next in culture," according to SoundCloud.
Taking over SoundCloud accounts
According to a report shared with BleepingComputer, while investigating the online music platform for API security flaws, the Checkmarx researchers found several vulnerabilities in SoundCloud's API endpoints that attackers could exploit to launch attacks directed at the platform and its users.
Among these API bugs, the researchers discovered:
• Broken authentication & user enumeration opening the door for account takeovers
• Lack of resource request limiting & rate limiting that could be abused for site denial of service attacks
• Security misconfiguration & improper input validation leading to service exploitation attempts
A Broken Authentication issued affecting the /sign-in/password endpoint of api-v2.soundcloud.com could have allowed attackers to launch automated credential stuffing attacks that would help them harvest valid access tokens.
In combination with a user enumeration bug in the /sign-in/identifier and /users/password_reset endpoints that could be used to obtain valid user account identifiers, it would have allowed threat actors to completely takeover SoundCloud user accounts.
"We have no hint of attackers exploiting these vulnerabilities directly. Nevertheless, we found evidence of past incidents that could have been caused by a Broken Authentication issue exploitation," Checkmarx security researcher Paulo Silva told BleepingComputer.
"You can read the user complaint regarding 'Leak of User Data' and SoundCloud's blog post 'Help Us, Help You Keep Your SoundCloud Account Safe.'
Denial of service attacks
Two other bugs in the /tracks and /me/play-history/tracks endpoints of api-v2.soundcloud.com could have allowed for DoS and DDoS attacks because of the lack of improper rate and resources limiting.
The first buggy API endpoint could "be used to perpetrate a Distributed Denial of Service (DDoS) attack: using a specially crafted list of track IDs to maximize the response size, and if requests from several sources are made at the same time to deplete resources in the application layer will make the target’s system services unavailable."
In the case of the second one, "the lack of rate limiting may compromise the system availability, making it vulnerable to DoS attacks" prior to patching.
"From a business perspective, not limiting the amount of requests to this endpoint may compromise the data integrity, since it may create biased tracks-statistics."
| Software | Used Version | Latest Version |
| Phusion Passenger | 6.0.4 | 6.0.4 |
| Nginx | 1.17.3 | 1.17.5 |
The Checkmarx Security Research team also found a security misconfiguration in the /users/{user_id} endpoint that would give attackers access to info needed to launch attacks by targeting vulnerabilities in unpatched software used by SoundCloud's platform.
"Having SoundCloud users as a target, Broken Authentication and User Enumeration could have been used together to take control of user accounts," Silva added.
"Unfortunately, industry-wide incidents that expose user data, such as usernames and passwords, are quite common, making leaked data generally available.
"Being a fact that users tend to reuse passwords across multiple sites, along with other bad practices (e.g. guessable passwords), attackers could have exploited:
- the User Enumeration weakness to check whether a leaked username also exists on SoundCloud
- the Broken Authentication weakness to test the associated leaked password, as well as a bunch of other leaked and/or known common passwords, until they achieved a successful sign-in.
SoundCloud runs a Responsible Disclosure program through the Bugcrowd crowdsourced security platform since April 2019, and it just announced that it increased rewards on January 29, with researchers that report critical vulnerabilities being eligible for rewards of up to $4,500.
"At SoundCloud, the security of our users’ accounts is extremely important to us," the company said in a statement.
"We are always looking for ways to enhance the security of our platform for our users. We appreciate Checkmarx reaching out to discuss their findings."
Update February 11, 16:16 EST: Added more information provided by Checkmarx security researcher Paulo Silva.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now