Security is considered to be utmost important when a software deals with user data. This applies to almost all the softwares. SoundCloud is an audio social platform which is similar to Youtube video streaming platform. SoundCloud has addressed several critical vulnerabilities in its Application Programming Interface (API). According to the CheckMarx Security Research Team, these bugs could have allowed threat actors to compromise user accounts, perform DoS attacks, and exploit the service to steal valuable information.
On November 11 2019, according to Paulo Silva from CheckMarx Security Research, 3 different security vulnerabilities were reported in the software API; Broken Authentication, rate-limiting bug, and improper input validation.
Insights
According to Paulo Silva, the broken authentication in the /sign-in/password endpoint of the API fails to implement correct security measures so as to lock the account in case of frequent failed authentication attempts. The endpoint purely depends on rate limiting which can be exploited using brute-force methods such as credential-stuffing. The rate-limiting bug describes how SoundCloud API does not enforce a limit when a user tries to retrieve a number of songs using searchers. A potential attacker can send a huge amount of POST requests from a single IP Address, or on the other hand, he can issue a high-volume GET request for a large number of songs. Since rate limiting is not enforced, the above 2 attacks can overwhelm the API. This could also result in biased demand for certain tracks or artists, which in turn, can cause an impact on the business. The hacker can also perform DoS attacks by exploiting the rate-limiting bug. CheckMarx Security Research also discovered improper input validation flaw in the API. According to the research, the threat actor can use long character strings while uploading a new song and its description. This allows the hacker to perform cross-site scripting (XSS) attacks or SQL Injection attacks.
Conclusion
As you can infer, the above vulnerabilities clearly affect all 3 pillars of the CIA triad. Confidentiality is in question when user accounts are compromised. Availability is affected when hackers perform DoS attacks using rate-limiting bugs. Integrity is compromised when the hacker exploits improper input validation flaw using XSS or SQL injection attacks. These attacks could cause a serious threat to the SoundCloud business. Fortunately, SoundCloud immediately reached out to the CheckMarx Security Research Team and addressed all the vulnerabilities. By January 30 2020, SoundCloud patched these vulnerabilities in their latest update.
References