Security researchers have identified various vulnerabilities within the SoundCloud APITrack this API that could have allowed attackers to gain access to user accounts and easily initiate DDoS attacks. Checkmarx Research conducted the investigation into the online social music platform as part of a broader examination of “the state of API Security in leading online platforms.”
SoundCloud is a music streaming platform that has seen immense growth over the last several years, culminating in SiriusXM recently investing $75M in the company. With such success comes increased scrutiny and Checkmarx’s researchers were able to discover myriad issues within SoundCloud’s APIs.
The first issue that Checkmarx noted in their findings was broken authentication methods that could have allowed bad actors to access accounts through brute-force attacks. Although the /sign-in/password endpoint did implement rate limiting, the researchers found that with several combinations of use_agent, device_id, and signature they were able to bypass these measures. With a technique called credential stuffing (this is when attackers use previously leaked credentials to try to gain access to accounts by “stuffing” them into fields), the researchers found that they could have obtained valid access tokens. A great reminder to change your passwords.
Additionally, the research highlighted that the /tracks endpoint did not implement proper resources limiting and that attackers could deplete resources in the application layer through a DDoS attack. This is possible because as the research stated:
“using a specially crafted list of track IDs to maximize the response size, and issuing requests from several sources at the same time to deplete resources in the application layer will make the target’s system services unavailable.”
SoundCloud appears to have issued fixes for these vulnerabilities as a result of Checkmarx’s research. Make sure to check out the full report for more detail on additional issues.