Another XSS on SoundCloud

Published on April 01, 2015

Another XSS on SoundCloud


An evening bughunting on Facebook led to the Soundcloud service. We investigated the possibility of XSS vulnerabilities when shearing tracks to Facebook feed. After several unsuccessful attempts, I wanted to check Soundcloud itself. During the first 5 minutes, a useless, so-called self-xss was discovered - when adding a new tag, you can transfer the script. When you hover over this tag with the cursor, the code is executed. A little later, I found two videos on, where grief baghunters laid it out as something critical (one even named the video as “Soundcloud Xss epic fail”). Continuing his entertainment, he connected the second character, because if there is an attacker, there must be a victim.

Filled a new track, filled all the fields with various variations of XSS injection and sent the track to the victim. The victim opened the track with very strange tags in the names and descriptions, but she listened - it turned out tolerably, in some places there was not enough mastering. What, in fact, the victim decided to inform the author by sending a constructive comment.

At this time, the author continued to search for places where you can transfer scripts in the fields for displaying information on the screen. Once again, having reloaded the page, the attacker noticed a notification arrived. Having clicked on the bell, the popup that opened with the notification history gave the eye a window on the whole screen - Bingo! After a little research, it turned out that the script registered in the title of the track is executed in a pop-up with notifications, if one of them refers to an infected composition. That's so simple, as, however, and always.

How to use it. The attacker puts out another hit. Suppose that 100 people wrote enthusiastic comments to him. Further, the attacker adds the “needed” script to the track name and responds with a counter comment to each user. All users eventually see a notification in their home, they say an answer was written to your comment, but as soon as he opened a pop-up with notifications to find out about this, the code will be immediately executed. Cookies are merged, new likes, reposts, new comments are put down - who has enough imagination.

After a short search on the site, I did not find a special place where I could report a problem, so I decided to use the standard feedback page. After sending a message, a few hours later I decided to double-check the availability of specials. pages for bug reports -and still found her . Reported again.

A day later, I received a message that the bug had already been reported to me. I tried to find out who and when, it turned out, judging by the calculations, the bug was reported about 10 hours earlier. Like it or not, it remains a mystery.

Here it is, strange-synchronous bughunting.