PledgeMusic exposed accounts by letting anyone log in without a password
(Image: file photo)
A security bug in popular music platform PledgeMusic let anyone log in to accounts without needing a password.
One of the site's users told ZDNet that he found the bug by mistake when he tried to log in on his phone. He was able to log in with just his email -- no password needed -- granting him full access to his account.
"I opened multiple browsers on my computer, cleared caches, and tried to replicate the problem," said the user who found the bug, but did not want to be named for the story.
"I discovered that as long as I used the correct email address, it didn't matter if I typed a wrong password or no password at all," he said.
ZDNet verified the bug by asking several users to log in to their own accounts without their password.
PledgeMusic is a popular music platform similar to Kickstarter and Patreon in that it allows musicians and artists to raise funds for projects. The company had about three million users as of a year ago, according to an interview with the site's chief executive, Dominic Pandiscia.
The site also has over 50,000 artists on the platform, including Macy Gray, Culture Club, Reverend and The Makers, and The Libertines.
Account profiles store only limited data, but because the site stores credit card data (which wasn't accessible except for the last four-digits of a registered card), a hacker could make unauthorized payments and pledges to artists without a user's consent.
The company said the issue has now been fixed and that it had "experienced no customer service concerns or inquiries relating to this issue."
An email seen by ZDNet shows the user had in fact sent PledgeMusic an email -- and a direct message on Twitter -- to which he only only "got a canned response."
The spokesperson said that "some users" were affected, but would not elaborate on how many users were affected or how the company came to that unknown figure.