Paid Advertising
web application security lab

Protected Music Disclosure on MySpace

Dave Shanley has an interesting post on how you can steal protected music from MySpace. It’s pretty straight forward and demonstrative, so I probably don’t need to say much beyond read the post. I’ve actually known about this for a few days, but there was some back and forth regarding how to disclose the issue. Honestly, this probably isn’t that bad, given how many users have had their usernames and passwords stolen from MySpace anyway, but there you have it.

However, what is a little disturbing is the fact that we are seeing so many of these lately. It’s really hard to protect yourself if you rely on a company to do it for you. id and I were talking to someone about this very fact just a few days ago. Should this person put their music on MySpace. If you put any information online you should expect that information to be treated like public knowledge. If your significant other, your boss, your priest, or the judge at your arraignment would disapprove you probably shouldn’t put it online. If it’s a piece of music, cut it off in the middle, or upload a significantly degraded quality version. Find a way to retain the rights to it knowing that security vulnerabilities do and will happen. Relying on companies to do it for you is taking on a pretty big personal risk.

20 Responses to “Protected Music Disclosure on MySpace”

  1. bubbles Says:

    Everyone used to use the exploit on… The sites down now but it used to work.

  2. Andy Steingruebl Says:

    This is why I keep all my money under my mattress rather than trusting a bank to keep it safe . . . You can’t trust other people…

    Or did you just mean to apply this to the online world? ;)

  3. kambuz Says:

    It’s rather old (for me) i always use firebug, which shows me full path to mp3 when i press “play” on flash player. So it’s even easier than Dave’s method :)

  4. Jon Longoria Says:

    Thanks for the input and brief on this disclosure.

    Thats good stuff, although I would be weary of proclaiming your intent to snatch :).

    We were only looking to raise awareness of the issue, get MySpace to take action to plug it before worse happens and Dave posted this vulnerability assuming that there is a good chance someone had already come across a similar issue.

    After a weeks worth of searching and consulting with some subject matter experts, it was published. The issue that we’re mulling over now is how record companies might react or more importantly the RIAA, if they can wrap their mind around the issue and it’s relevance to their bottom-line - this small bug has ramifications across the board.

  5. ChosenOne Says:

    Great, now all music on myspace will be low-quality or incomplete songs - all because of you ;-) j/k
    I’m really astonished that people rally thought the mp3s were “safe” or “locked” :) It was quite obvious to me that everybody can download the mp3s from myspace if you really want to.

  6. Jeremiah Blatz Says:

    I think you’ll find this vulnerability on something like 95% of flash media players. I’m actually rather surprised anyone bothered to publish about it, I thought it was common knowledge.

  7. Jon Longoria Says:


    The round-about response to that is that MySpace would continously promote the content as protected/secured - if it isn’t protected, ok MySpace, say so and no harm/no foul - fix it please anyway, pretty please?…

    However, there is that large contingent of users that WILL put their absolute faith and trust into the service provider including the entertainment/music industry itself; because of that, whether you and I know better is inconsequential in this case.

    If noone speaks up or noone listens, then someone will eventually be taken advantage of. For those of us that can figure it out, we do have a responsibility of being the Good Samaritan and disclosing it - now that is subjective to whatever disclosure model you go by, of course.

  8. ChosenOne Says:

    @Jon Longoria
    Well yes - you’re right, I suppose.

  9. hackathology Says:

    Interesting article.

  10. Awesome AnDrEw Says:

    This is exactly how I did the full disclosure on Soundclick, which allows artists to sell their tracks. Just open up any type of network sniffing application, play the song, and everything is easy as can be.

  11. megaupload search Says:

    Alright, we’ve seen enough myspace music disclosures! Why not pressure the folks at purevolume?

  12. Jon Longoria Says:

    @Awesome AnDrEw

    Its sort of sad how widespread these types of problems are. There seems to be less a school of thought in programming these days where one should evaluate the code from the ground up on it’s security before publishing - something that should be one of the more concentrated points of software/web application development in this day and age.

  13. m0e-sh0ck Says:

    Some Time ago, I used “Internet Download Manager” to download Mp3’s I like from Myspace. I don’t know if it works again.

  14. Michael Tellems Says: can do this

  15. Awesome AnDrEw Says:

    There’s always the cheap way of doing things like setting your sound recorder to accept the output as input, and turning off all other sounds, which is easier, but more work.

  16. Spyware Says:

    “which is easier, but more work”
    More work != easier for me ;)

  17. eyeced Says:

    People have known about this for ages, i don’t think it was a wise idea to disclose it on a site that is viewed by people from myspace/google/microsoft etc, simply because they will now probably fix it. Just ruins it for others.

  18. Howie Says:

    There’s a real easy way to download myspace music, just go to

  19. pund4nt Says:

    Excluding the individuals who actually got the point of this disclosure, are the rest of you bleeding stupid or is it a self-indulged ignorance that plagues you? This has less to do with the method, moreso the principle of the topic at hand.

    djmckey and others who commented on the disclosure @ site make it clear:

    Most of them got it, why can’t you?!

  20. jon Says: exactly do you change your sound recorder to accept output as input?