SoundCloud is a robust online audio platform where users can distribute or discover new music. With more than 175 million unique monthly users who discover these new songs, there is a big opportunity for malicious ‘users’ to spread there viruses.

Since SoundCloud has a Responsible Disclosure, which is quite comforming I tried to find a bug in their system and bingo I’ve found one! (As well as other minor bugs)

I am not a copy-paste-like-guy and try things out, I do all my research manually (sometimes with the help of burp suite, which seems to fit me perfectly)

The XSS-itself:

You could insert an malicious script as a name of the song, this wasn’t filtered by the system which was very strange. Because of a previous bug with tags which was almost the same. If a user commented on a song with this malicious payload as a name. And if someone commented on your comment you would see a notification in your notification bar (icon). If you clicked on this notification icon, a XSS would show up.

Video:

Reason of this vulnerability:

SoundCloud uses URLs to construct its name without filtering malicious script codes.

Tests were performed in Internet Explorer 11, Firefox and Chrome (on ubuntu and Windows 7).

Extra info:

*Authentication Required