SoundCloud is a robust online audio platform where users can distribute or discover new music. With more than 175 million unique monthly users who discover these new songs, there is a big opportunity for malicious ‘users’ to spread there viruses.
Since SoundCloud has a Responsible Disclosure, which is quite comforming I tried to find a bug in their system and bingo I’ve found one! (As well as other minor bugs)
I am not a copy-paste-like-guy and try things out, I do all my research manually (sometimes with the help of burp suite, which seems to fit me perfectly)
The XSS-itself:
You could insert an malicious script as a name of the song, this wasn’t filtered by the system which was very strange. Because of a previous bug with tags which was almost the same. If a user commented on a song with this malicious payload as a name. And if someone commented on your comment you would see a notification in your notification bar (icon). If you clicked on this notification icon, a XSS would show up.
Video:
Reason of this vulnerability:
SoundCloud uses URLs to construct its name without filtering malicious script codes.
Tests were performed in Internet Explorer 11, Firefox and Chrome (on ubuntu and Windows 7).
Extra info:
*Authentication Required
18 May 2015 at 17:34
Hi, was this bug actually patched?
19 May 2015 at 09:40
Hello Sal,
this bug is patched by SoundCloud and verified by me.
Maybe there is some work-around to still get some XSS to show up.