Special Feature
Part of a ZDNet Special Feature: Cyberwar and the Future of Cybersecurity

Password leak puts online radio stations at risk of hijack

Leaked admin accounts and passwords for radio stations allowed anyone to log-in and hijack broadcasts.

(Image: file photo)

A password leak vulnerability in a popular broadcast platform could allow hackers to hijack online radio stations.

The security flaw allows anyone to reveal the plaintext admin account and password for almost any radio station hosted on SoniXCast, a New York-based online broadcast site, boasting over 50,000 terrestrial and internet radio stations on its network.

special feature

Securing Your Mobile Enterprise

Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren't managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.

Read More

The site's API can be trivially exploited to expose passwords to radio stations hosted by the company. The passwords can be used to log in to the service, replace accounts, and gain full control of the radio station. A hacker could even modify the broadcast settings, allowing anything to be broadcast over the airwaves.

"You can hijack a station. If it's a religious station you could air profanity. If it's a news or financial station you could air fake news or false stock info," said Roger Hågensen, who discovered the flaw, in an email to ZDNet.

"Depending on how large/popular a station is this could have larger ramifications," he said.

To verify the bug, Hågensen provided ZDNet with several screenshots and live links that showed exposed data.

Hågensen reported the bug to the company in May. Email correspondence seen by ZDNet showed that the company said it planned to fix the vulnerability. But some station credentials could still be seen on the site at the time of writing, which is why we're not revealing specifics.

Instead of fixing the bug, SoniXCast owner Brian Walton accused Hågensen of "nefarious intentions" and said he would report the vulnerability disclosure to Homeland Security.

In emails, Walton referred to Hågensen as an "arrogant, pushy individual" for his persistence in reporting the vulnerability, which was deemed a "low priority" development issue.

Troy Hunt, who runs breach notification site Have I Been Pwned, said the company's response to the responsible disclosure was "disappointing."

"It's essential that organisations are receptive of vulnerability reports and take them as an opportunity to improve their own security posture rather than proverbially shooting the messenger," Hunt told ZDNet.

"The vulnerability isn't that unusual in that it effectively amounts to a direct object reference; an identifier is exposed publicly which ties to an individual resource -- in this case a station being broadcast -- and there are insufficient access controls protecting that resource," he said.

Referring to OWASP's leading web application security risks, Hunt said the vulnerability is still ranked as the fourth most critical risk on the web today.

Walton did not respond to a request for comment.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All