Stored XSS on Soundcloud.com

SoundCloud is a robust online audio platform where users can distribute or discover new music. With more than 175 million unique monthly users who discover these new songs, there is a big opportunity for malicious ‘users’ to spread there viruses.

Since SoundCloud has a Responsible Disclosure, which is quite comforming I tried to find a bug in their system and bingo I’ve found one! (As well as other minor bugs)

I am not a copy-paste-like-guy and try things out, I do all my research manually (sometimes with the help of burp suite, which seems to fit me perfectly)

The XSS-itself:
You could insert an malicious script as a name of the song, this wasn’t filtered by the system which was very strange. Because of a previous bug with tags which was almost the same. If a user commented on a song with this malicious payload as a name. And if someone commented on your comment you would see a notification in your notification bar (icon). If you clicked on this notification icon, a XSS would show up.

Video:

Reason of this vulnerability:
SoundCloud uses URLs to construct its name without filtering malicious script codes.

Tests were performed in Internet Explorer 11, Firefox  and Chrome (on ubuntu and Windows 7).

Extra info:
*Authentication Required

Researcher Triponoid:

View Comments (2)

    • Hello Sal,

      this bug is patched by SoundCloud and verified by me.

      Maybe there is some work-around to still get some XSS to show up.