A password leak vulnerability in a popular broadcast platform could allow hackers to hijack online radio stations.
The security flaw allows anyone to reveal the plaintext admin account and password for almost any radio station hosted on SoniXCast, a New York-based online broadcast site, boasting over 50,000 terrestrial and internet radio stations on its network.
The site's API can be trivially exploited to expose passwords to radio stations hosted by the company. The passwords can be used to log in to the service, replace accounts, and gain full control of the radio station. A hacker could even modify the broadcast settings, allowing anything to be broadcast over the airwaves.
"You can hijack a station. If it's a religious station you could air profanity. If it's a news or financial station you could air fake news or false stock info," said Roger Hågensen, who discovered the flaw, in an email to ZDNet.
"Depending on how large/popular a station is this could have larger ramifications," he said.
To verify the bug, Hågensen provided ZDNet with several screenshots and live links that showed exposed data.
Hågensen reported the bug to the company in May. Email correspondence seen by ZDNet showed that the company said it planned to fix the vulnerability. But some station credentials could still be seen on the site at the time of writing, which is why we're not revealing specifics.
Instead of fixing the bug, SoniXCast owner Brian Walton accused Hågensen of "nefarious intentions" and said he would report the vulnerability disclosure to Homeland Security.
In emails, Walton referred to Hågensen as an "arrogant, pushy individual" for his persistence in reporting the vulnerability, which was deemed a "low priority" development issue.
Troy Hunt, who runs breach notification site Have I Been Pwned, said the company's response to the responsible disclosure was "disappointing."
"It's essential that organisations are receptive of vulnerability reports and take them as an opportunity to improve their own security posture rather than proverbially shooting the messenger," Hunt told ZDNet.
"The vulnerability isn't that unusual in that it effectively amounts to a direct object reference; an identifier is exposed publicly which ties to an individual resource -- in this case a station being broadcast -- and there are insufficient access controls protecting that resource," he said.
Referring to OWASP's leading web application security risks, Hunt said the vulnerability is still ranked as the fourth most critical risk on the web today.
Walton did not respond to a request for comment.