(Image: file photo)A security bug in popular music platform PledgeMusic let anyone log in to accounts without needing a password.
Here are 2017’s biggest hacks, leaks, and data breaches — so far
Dozens of data breaches, millions of people affected.
One of the site’s users told ZDNet that he found the bug by mistake when he tried to log in on his phone. He was able to log in with just his email — no password needed — granting him full access to his account.
“I opened multiple browsers on my computer, cleared caches, and tried to replicate the problem,” said the user who found the bug, but did not want to be named for the story.
“I discovered that as long as I used the correct email address, it didn’t matter if I typed a wrong password or no password at all,” he said.
ZDNet verified the bug by asking several users to log in to their own accounts without their password.
PledgeMusic is a popular music platform similar to Kickstarter and Patreon in that it allows musicians and artists to raise funds for projects. The company had about three million users as of a year ago, according to an interview with the site’s chief executive, Dominic Pandiscia.
The site also has over 50,000 artists on the platform, including Macy Gray, Culture Club, Reverend and The Makers, and The Libertines.
Account profiles store only limited data, but because the site stores credit card data (which wasn’t accessible except for the last four-digits of a registered card), a hacker could make unauthorized payments and pledges to artists without a user’s consent.
The company said the issue has now been fixed and that it had “experienced no customer service concerns or inquiries relating to this issue.”
An email seen by ZDNet shows the user had in fact sent PledgeMusic an email — and a direct message on Twitter — to which he only only “got a canned response.”
The spokesperson said that “some users” were affected, but would not elaborate on how many users were affected or how the company came to that unknown figure.
Contact me securely
Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
Leaked TSA documents reveal New York airport’s wave of security lapses
US government pushed tech firms to hand over source code
At the US border: Discriminated, detained, searched, interrogated
Millions of Verizon customer records exposed in security lapse
Meet the shadowy tech brokers that deliver your data to the NSA
Inside the global terror watchlist that secretly shadows millions
FCC chairman voted to sell your browsing history — so we asked to see his
With a single wiretap order, US authorities listened in on 3.3 million phone calls
198 million Americans hit by ‘largest ever’ voter records leak
Britain has passed the ‘most extreme surveillance law ever passed in a democracy’
Microsoft says ‘no known ransomware’ runs on Windows 10 S — so we tried to hack it
Leaked document reveals UK plans for wider internet surveillance