PledgeMusic Vulnerability: Music Site Let Anyone Access Accounts Without Password

PledgeMusic, a popular social network platform built around music, suffered from a security flaw that allowed anyone to gain access to a user account on the site without needing to enter a password, ZDNet reported.

The vulnerability was discovered by users on the site who found they could login to an account by simply entering the email address associated with the account. The site would allow the user to login without entering a password.

Through the flaw, anyone could gain full access to any user’s account as long as they knew the email address associated with the account—or simply continue guessing email addresses until they discover one registered to PledgeMusic. A person attempting to login could enter a password incorrectly or no password at all and still login to the account.

The site, which is described as a platform to “connect artists and fans in a way that reaches far beyond a simple stream, download or CD/vinyl sale.” It allows users to communicate with artists and purchase rare or collectible items, including backstage passes, instruments and written music and lyric sheets.

It operates similar to a Kickstarter or Patreon-style crowdfunding effort for artists, who can grant users unique access to material in exchange for raising funds to complete projects. Artist who use the platform include Macy Gray, Cheap Trick, Collective Soul, Black Sabbath, Bullet For My Valentine and others.

PledgeMusic boasts a community that consists of more than three million users and about 50,000 artists. It was not clear if artist accounts could be compromised in a similar way as the user accounts.

Despite provided full access to an account, the security vulnerability revealed limited information about a user. It did include the last four digits of the user’s credit card if they stored a payment method on the site or used one to make a purchase, but the full number was not available. However, an attacker could make an unauthorized purchase from a user’s account and run up a significant bill.

PledgeMusic said the flaw has since been fixed—though the company has not made a public acknowledgement of the flaw and it is not clear if it informed any affected users of potentially unauthorized logins made to their accounts.

According to ZDNet, PledgeMusic claimed it "experienced no customer service concerns or inquiries relating to this issue" and said only “some users” were affected by the vulnerability. It did not disclose any figures about the incident.

Earlier this year another music community, 8tracks, suffered from a security breach that resulted in 18 million user account credentials being stolen. The passwords for the accounts were encrypted—though that encryption could be cracked—but the email addresses were exposed.

It is possible, given the similar interest in music that users on 8tracks and PledgeMusic have, that an attacker could have use the information stolen in the 8tracks breach to seek out user accounts on PledgeMusic. As is often the case, initial breaches often lead to additional compromise down the line.