Soundcloud Gives Me Everything For Free

May 7, 2015

I have little time for looking at CCTV systems so thought I should update this blog with something that took me about 2 minutes to do. Soundcloud is a great website that I’ve used for a couple years now, you should all know it by now, a lot of emerging music is on there. I decided to investigate how easy it would be to get the audio of a track with the download option disabled, sadly, it was painfully easy. For this test I will be using tracks I’ve uploaded on Soundcloud, so nothing wrong there. I was originally going to make a YouTube video on this but feel it’s too risky with YouTube’s strict rules.

The first place to start is to open up the source and see whats happening from there. I came across this, it’s one of the first few lines. This shouldn’t work, I’ve disabled the download option.


This is the correct response, I can’t just download something through the API when it’s disabled so I’m happy that this feature works.


So the next thing I choose is to track what’s happening with the network feature in Firefox, a great feature for capturing something like this and understanding how the system works. I intentionally wait before the page loads before clicking play on a track, this will help distinguish anything of relevance, although there is a possibility it’s already been loaded.


Checking the type in the network feature is also important, it helps you understand what the web application is doing. As we can see from the screenshot above, the type “mpeg” is delayed probably due to it trying to load the whole audio (some web apps do it differently). The mpeg is the actual audio, but for creating a Soundcloud downloader it doesn’t give us much clues. Another interesting part of these requests is the type JSON request.

The API needs a track ID which we can get (check the source, first picture). The client ID and App version are not unique to us, I checked with a Google dork and saw requests with the same client_id. When requesting this API we get a “http_mp3_128_url” and a “preview_url”. We ofcourse want the first, the response you will get is something like this.

{“http_mp3_128_url”:”\u0026Signature=(random)__\u0026Key-Pair-Id=(random)”,[redacted preview url]}

I have obviously modified things to make this easier, the first thing I notice is the \u0026, this is simply unicode for “&”.  If you’re confused why I have (random) replacement, this is what a actual response looks like.

dIf we copy the “http_mp3_128_url” value and replace the \u0026 with & we are pleasantly surprised with an mp3 which plays, this allows us to create an automated downloader, as we are simply using a API call to the URL. We do not have to be logged in or have cookie values, I’ve tested with the TOR browser and seems to go swimmingly. One thing to note is that if you wait too long after the API call you won’t be able to get the mp3. You will be instead given a not authorised message. This makes sense. If you just clicked the play button and it’s sent a JSON request it shouldn’t take longer than a second.





If you’re not later than a few minutes, you should have a track you can play nicely.

May 30, 2015 @ 10:31 pm

I exploited it long back ( last year ) – which is never fixed ever. Process was more simpler and straight forward though 🙂 Though Soundcloud team was generous enough to share some swag for reporting the vulnerability, but seems this vulnerability is not easy to fix.

1) Install firebug and jsonview plugins to your firefox.

2) Login to a common account

3) Goto a songs URL which is not showing download link ( or showing buy from itunes or others ) .


4) Open firebug – then click on Play button.

Check the Net console for the link with “Post ?plays” option. Copy the URL

5) Now change the option plays to streams

6) Now – paste the URL to browser.

You will get json feed like following

http_mp3_128_url: “”

7) Copy the URL – paste it to your browser and download directly 🙂

    June 1, 2015 @ 8:10 pm

    I didn’t even count it as a vuln or report, seems like Soundcloud don’t really know what to do with it.


Leave a Reply

Your email address will not be published. Required fields are marked *