SciLor's Open Source Forums
http://forum.scilor.com/

Grooveshark(tm).com Account Security Issue
http://forum.scilor.com/viewtopic.php?f=163&t=717
Page 1 of 1

Author:  SciLor [ Sat Apr 30, 2011 6:04 pm ]
Post subject:  Grooveshark(tm).com Account Security Issue

Two or more month ago I wrote to Grooveshark(tm).com (from now on GS), to give them a hint about a possible security issue at their website. No answer since then.

Now about the issue:

The login into the account may be secure, except the SSL-Certificate of GS is only for the domain "listen.grooveshark.com" and not for "grooveshark.com" which is only a little problem. Modern Browser seem to ignore that, but it may make problems with mobile devices, if you are not ignoring the wrong subdomain.

Lets come to the bigger problem. When you are logged on and open the website, open the source and search for "Country". You will land in an json string. Short after the "Country" entry you will find the "user" entry:
Code:
"user": {
    "City": null,
    "Country": null,
    "Email": "abc@def.ghi",
    "FName": "XYZ",
    "IsActive": true,
    "IsPremium": "0",
    "LName": "XYZ",
    "Passwd": "UNSALTED MD5 PASSWORD",
    "Picture": null,
    "State": null,
    "TSDOB": "1988-05-18",
    "TSLogin": "2010-08-31 11:51:22",
    "TSAdded": "2010-03-16 13:55:46",
    "TSModified": "2011-05-31 15:58:16",
    "UserID": 00000,
    "Username": "xyz",
    "Zip": null,
    "NotificationEmailPrefs": "5684",
    "AuthRealm": 1,
    "Privacy": "0",
    "Flags": "0",
    "UploadsEnabled": true,
    "Sex": "W",
    "pictureSize": "t",
    "favoritesLimit": 500,
    "librarySizeLimit": 5000,
    "themeID": ""
}


The part
Code:
"Passwd": "UNSALTED MD5 PASSWORD"

contains the password, unsalted in md5. Most passwords can so be easily reveresed.
Passwords should never been send around without a reason. And never unencrypted or as md5. It may be more secure sending everything over https and salting the md5 hash.

Because the website is send unencryped over http anybody in you lan may sniff your password. This may also happen if you are connecting to an open wifi-network.
So be careful if you are using your grooveshark account in an open network or somewhere where anybody could sniff your network traffic.

Author:  wthpr0 [ Tue Jun 28, 2011 9:49 pm ]
Post subject:  Re: Grooveshark(tm).com Account Security Issue

Companies these days think that it's secure that way, HoN (heroes of Newerth) dose the exact same thing, none salted md5 over none encrypted http for login.

Page 1 of 1 All times are UTC + 1 hour [ DST ]
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/