SoundCloud Was a Target for Credential Stuffing Attacks Due to the Unlimited Number of Login Attempts

With over 170 million users, SoundCloud is undoubtedly one of the world's largest audio streaming platforms. According to Alexa, it's in the Top 100 most visited websites, which made it a perfect candidate for a good look around by Checkmarx's security research team. Back in November, Checkmarx's experts were researching the state of API security in widely used online platforms. It's safe to say that they weren't particularly happy with what they found at SoundCloud.

Checkmarx's researchers discovered several security vulnerabilities in SoundCloud's API, which could have presented hackers with plenty of attack opportunities. In most scenarios, the criminals would have been able to do little more than disrupt SoundCloud's service, but there was a combination of two security oversights which, coupled with people's bad password habits, could have allowed a large-scale account takeover attack.

Two SoundCloud bugs made credential stuffing and brute-force attacks easy

Credential stuffing is one of the easiest ways of compromising the online accounts of a large number of people, which isn't surprising considering the vast quantities of stolen passwords that get spilled on the internet every day. Crooks also don't shy away from mounting more traditional brute-force attacks when they get the chance, which is why, when Checkmarx's researchers started their investigation into SoundCloud's authentication system, one of their first tasks was to see whether the streaming platform's users were protected against this sort of activities. It turned out that they weren't.

First, the researchers realized that they could enumerate SoundCloud accounts with relative ease. They took an email address and queried a couple of the API's endpoints (the ones facilitating the sign in and password reset processes). In both cases, the endpoints' responses would clearly indicate whether an account with this email address exists, which meant that using a script, an attacker could automatically perform a large number of queries and put together a list of valid SoundCloud accounts. Then, they could brute-force their way in.

During their investigation, Checkmarx's researchers found out that SoundCloud had put no limit on the number of unsuccessful login attempts performed on a single account. Armed with a list of email addresses associated with valid SoundCloud profiles (which, as we already established, is not difficult to obtain), the hackers could try as many passwords as they wanted for each and every one of them. A credential stuffing attack was arguably even easier. The only thing the hackers needed to do was bypass the rate limiter, which, according to Checkmarx, was possible with slight modifications of the requests.

Security errors made SoundCloud vulnerable to DoS attacks

The scenario was not exactly far-fetched, and the possibility of account takeover, especially for people who reuse their passwords, was very real. Before reporting the vulnerability to SoundCloud, however, Checkmarx's experts decided to do some more poking around and look for other flaws that might put users or the service itself at risk. It turned out that there were a few more problems.

A lack of proper resource limiting meant that by manipulating a request to the /tracks endpoint of SoundCloud's API, the researchers managed to retrieve a list of close to 700 track IDs. Under normal use, the API would return just 16 track IDs, which should give you an idea of how much pressure the crafted requests could put on SoundCloud's hardware. It was a Distributed Denial of Service (DDoS) attack waiting to happen.

Another error in the resource- and rate-limiting implementation could have given attackers the chance to corrupt the data SoundCloud was displaying, and an old version of the Nginx web server gave away information on the system the service was running on. An input validation error in the API also meant that an attacker could enter long strings of characters in the Description, Title, and Genre field when uploading a new song, which, theoretically, opened the opportunity for further exploitation.

SoundCloud fixed the vulnerabilities quickly

Checkmarx's researchers knew that SoundCloud had quite a few problems to fix, which is why they wasted no time disclosing the issues. The report was sent on November 11, 2019, and on the very same day, the streaming platform confirmed that it has started investigating. Within less than a month, the most severe of the vulnerabilities were patched, and by late-January, all of Checkmarx's concerns had been addressed.

In their report, the researchers noted that they are impressed with the professionalism shown by SoundCloud's security team. Unfortunately, nowadays, we don't see this as often as we should.