Popular follow-to-download gating app Toneden is facing several allegations that their app exploits a serious flaw that can compromise the security of Soundcloud user accounts. Toneden co-founder Ali Shakeri denies the claims.
2PlusTwo Management + Embrace Entertainment’s Biz Davis posted on Facebook Monday that he was warned by Soundcloud of “suspicious activity regarding [their] client’s (Soundcloud) accounts,” and that Toneden was a “suspected cause.” He alleged that the issue was rooted in Toneden reposting Soundcloud content without permission from the user or the platform, however the implications as to how this might have happened go much deeper. In a follow-up edit to his status, Davis noted that he was “made aware of serious security flaws” in Toneden’s platform by other developers. According to the expert we spoke to, this claim holds water and could well explain the appearance of unauthorized actions on a Soundcloud account connected to Toneden.
In emails provided to PressPlay, music industry tech expert Shane Morris alerted Toneden proprietors to multiple vulnerabilities he discovered in June of last year, several of which appear to be unaddressed. According to Morris, the security issue in question is rooted in the cookie settings of Soundcloud, which allows automatic login to Toneden when a logged-in Soundcloud account is detected in a browser; this is by Toneden’s specific design. This process allegedly highlights a security flaw in which anyone with just the email attached to a secure Soundcloud account could successfully gain full access to it (without the password), by monitoring the account’s interactions with the comparatively less-secure Toneden.
“The issue with a lot of these services is that they already kind of break Soundcloud Terms of Service,” Morris said in a phone call. “Soundcloud was built with automatic login as a usability feature, well before apps like this existed. They weren’t thinking of the security lapses that could exist with applications using that feature in a different context, and aren’t as likely to go back and change that feature instead of addressing the issue as a Terms Of Service violation.”
He also added that Soundcloud’s security updates, which are more robust and frequent than what many small app developers can keep up with, are generally at odds with the use of any gated download service. “I have my doubts that Soundcloud wants any gating service like this to exist,” Morris added.
Without casting aspersions on Toneden or other follow-to-download services, the question now becomes one of ultimate security: by using follow-to-download and popular gating services, are user logins compromised? The answer no longer seems to be an airtight “no.”
This also opens up an ethical question, one that Soundcloud seems likely to test in the near future: do third party developers have any right to make apps that seemingly adopt, and in some cases augment, Soundcloud’s original features? It appears that if those augmentations create any concern over account security, the answer in Soundcloud’s eyes will be a hard “no.”
When reached for comment on the alleged breaches, Toneden co-founder Ali Shakeri gave the following statement to PressPlay:
“We take security and privacy very seriously. Our systems are designed to prevent a situation like this from happening. An internal audit regarding this matter has shown that there were no security breaches with any of the parties involved. We strive to maintain a great relationship with our users and any concerns and questions will always be answered by our team by reaching out to firstname.lastname@example.org.”
Biz Davis also stated that while he could not disclose more about 2PlusTwo’s involvement with the situation, due to client confidentiality, that in light of the allegations against Toneden, “2PlusTwo Management and their artists are no longer users of the platform.”
PressPlay will continue to monitor developments as they arise.