[BreachExchange] PledgeMusic Vulnerability: Music Site Let Anyone Access Accounts Without Password

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 9 19:16:57 EDT 2017


http://www.ibtimes.com/pledgemusic-vulnerability-
music-site-let-anyone-access-accounts-without-password-2598391

PledgeMusic, a popular social network platform built around music, suffered
from a security flaw that allowed anyone to gain access to a user account
on the site without needing to enter a password, ZDNet reported.

The vulnerability was discovered by users on the site who found they could
login to an account by simply entering the email address associated with
the account. The site would allow the user to login without entering a
password.

Through the flaw, anyone could gain full access to any user’s account as
long as they knew the email address associated with the account—or simply
continue guessing email addresses until they discover one registered to
PledgeMusic. A person attempting to login could enter a password
incorrectly or no password at all and still login to the account.

The site, which is described as a platform to “connect artists and fans in
a way that reaches far beyond a simple stream, download or CD/vinyl sale.”
It allows users to communicate with artists and purchase rare or
collectible items, including backstage passes, instruments and written
music and lyric sheets.

It operates similar to a Kickstarter or Patreon-style crowdfunding effort
for artists, who can grant users unique access to material in exchange for
raising funds to complete projects. Artist who use the platform include
Macy Gray, Cheap Trick, Collective Soul, Black Sabbath, Bullet For My
Valentine and others.

PledgeMusic boasts a community that consists of more than three million
users and about 50,000 artists. It was not clear if artist accounts could
be compromised in a similar way as the user accounts.

Despite provided full access to an account, the security vulnerability
revealed limited information about a user. It did include the last four
digits of the user’s credit card if they stored a payment method on the
site or used one to make a purchase, but the full number was not available.
However, an attacker could make an unauthorized purchase from a user’s
account and run up a significant bill.

PledgeMusic said the flaw has since been fixed—though the company has not
made a public acknowledgement of the flaw and it is not clear if it
informed any affected users of potentially unauthorized logins made to
their accounts.

According to ZDNet, PledgeMusic claimed it "experienced no customer service
concerns or inquiries relating to this issue" and said only “some users”
were affected by the vulnerability. It did not disclose any figures about
the incident.

Earlier this year another music community, 8tracks, suffered from a
security breach that resulted in 18 million user account credentials being
stolen. The passwords for the accounts were encrypted—though that
encryption could be cracked—but the email addresses were exposed.

It is possible, given the similar interest in music that users on 8tracks
and PledgeMusic have, that an attacker could have use the information
stolen in the 8tracks breach to seek out user accounts on PledgeMusic. As
is often the case, initial breaches often lead to additional compromise
down the line.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171009/ec3a3320/attachment.html>


More information about the BreachExchange mailing list