PledgeMusic exposed accounts by letting anyone log in without a password

The site boasted three million users last year.

(Image: file photo)

A security bug in popular music platform PledgeMusic let anyone log in to accounts without needing a password.

Here are 2017's biggest hacks, leaks, and data breaches — so far

Dozens of data breaches, millions of people affected.

Read More

One of the site's users told ZDNet that he found the bug by mistake when he tried to log in on his phone. He was able to log in with just his email -- no password needed -- granting him full access to his account.

"I opened multiple browsers on my computer, cleared caches, and tried to replicate the problem," said the user who found the bug, but did not want to be named for the story.

"I discovered that as long as I used the correct email address, it didn't matter if I typed a wrong password or no password at all," he said.

ZDNet verified the bug by asking several users to log in to their own accounts without their password.

PledgeMusic is a popular music platform similar to Kickstarter and Patreon in that it allows musicians and artists to raise funds for projects. The company had about three million users as of a year ago, according to an interview with the site's chief executive, Dominic Pandiscia.

The site also has over 50,000 artists on the platform, including Macy Gray, Culture Club, Reverend and The Makers, and The Libertines.

Account profiles store only limited data, but because the site stores credit card data (which wasn't accessible except for the last four-digits of a registered card), a hacker could make unauthorized payments and pledges to artists without a user's consent.

The company said the issue has now been fixed and that it had "experienced no customer service concerns or inquiries relating to this issue."

An email seen by ZDNet shows the user had in fact sent PledgeMusic an email -- and a direct message on Twitter -- to which he only only "got a canned response."

The spokesperson said that "some users" were affected, but would not elaborate on how many users were affected or how the company came to that unknown figure.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All