MP3 players and iPods lived a short but spectacular life. These devices transformed the way we consume music but eventually had to make way for music streaming services available on a more precious device, our mobile phones.

According to a report from the Recording Industry Association of America, US music revenue increased 17 percent from 2016 to 2017, with music streaming services making up two-thirds of that revenue. Today’s top music streaming services include Spotify, Apple Music, Google Play Music, Pandora and Soundcloud.
In France, Deezer seems to have taken the lead in terms of establishing a local audience as well as a global audience of listeners seeking alternative music. In December 2016 we detected Deezer was leaking data and unfortunately this isn’t the only music streaming service we have discovered to be leaking users’ sensitive information.
Qobuz is a French commercial music streaming and downloading service that promises unlimited access to more than 40 million tracks across all musical genres and access to editorial content and expert recommendations.
Wandera’s threat research team detected that the latest iOS version of the Qobuz app was leaking Personally Identifiable Information. NB: The issue has been fixed since the original publication date.

How does the Qobuz data leak work?

Our threat research team discovered the user authentication token was being transmitted “in the clear” or unencrypted, which allows an attacker to replay the session and get access to the user account without the need to have their password hash.
Both the user session token and the password MD5 hash which were leaked can be used in replay attacks in order for the attacker to gain access to the victim’s account without knowing their real password.

What is a replay attack?

A replay attack is a type of network attack that has similar characteristics to a man-in-the-middle-attack. It occurs when a valid data payload is interrupted and replayed, so when it is received by the endpoint server, it appears as if no apparent changes were made. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it for malicious reasons.
A replay attack may be used to break into a victim’s online accounts, like Qobuz or even their online banking service. Everything that a user did during a vulnerable session may be recorded and replayed in the future making it possible for the attackers to take advantage of all the collected data in the account.
Replay attacks can be prevented by tagging each encrypted component with a session ID and a component number or by encrypting the entire data payload along with the credentials.

Security implications of the Qobuz data leak

In order to set up an account, users provide their personal information, which could have negative consequences if it falls into the wrong hands. This information could be misused by the attacker in case of a credential compromise.
The valuable PII (Personally Identifiable Information) exposed during registration includes:
Username, Password Hash, First and Last Name, Email, Birthdate, Gender, User Authentication Token, Device Information.

What can you do to protect your users?

There’s no sense in taking the over-precautious measure of blocking access to all music streaming services just because a couple of players have failed to follow secure development practices. Overly strict policies will only upset your employees. Instead, we recommend the following steps:
Both businesses and users should have an active mobile security service deployed to monitor and block data leaks coming from apps and mobile sites as they happen.
Users should avoid using the iOS Qobuz application completely until the issue is patched in order to avoid any type of information leakage.
The developers of the Qobuz application are strongly advised to utilize SSL/TLS in order to protect the transmission of personally identifiable user information, session tokens, or other sensitive data to a backend API or web service.
[text-blocks id=”threat-advisories”]