Application patched against privacy-slurping bug
A vulnerability in music-recognition app Shazam could allow an attacker to steal a user’s precise location data using a single malicious URL.
UK security researcher Ash King discovered the bug in the popular application, which is available for both Android and iOS users, back in December 2018, but finally disclosed his findings on Sunday (January 17).
How deep is your link?
The Shazam app can identify the names of music tracks, movies, and TV shows based on listening to a short segment of audio via the device’s microphone.
It uses deeplinks throughout the app as part of its navigation, King explained. The privacy flaw arose because one exported deeplink which loaded websites in a WebView (app-embedded browser) was not validating its parameter, potentially giving attackers control of external resources.
An attacker could take advantage of this vulnerability by sending a malicious URL that opens in Shazam when the user clicks the link.
Shazam then opens a WebView and executes the payload, which sends the location data back to the attacker.
King has provided a more detailed explanation of how the exploit works on his blog.
At the time, the vulnerability affected more than 100 million users, he said. It was eventually fixed in March 2019.
King reported the issue three months after Apple acquired the Shazam app. He explained, however, that Apple did not deem the vulnerability eligible under its bug bounty program.
“I came across an article back in 2017 where someone found a Heartbleed vulnerability on a few Shazam servers,” King told The Daily Swig.
“He reported it and was awarded a bounty within two weeks. The payout was a key selling point for me to spend time looking at this app.
“This app was also in scope for Google Play Security Rewards Program so finding a mobile issue would have resulted in a double bounty, or so I thought.”
King said that Google did not deem location data as “a big enough security risk”, but warned that the privacy-conscious could be at risk if they do not update their Shazam app.
He said: “If a user has enabled the location permission for Shazam, their precise location could be stolen at any time.
“Whilst some companies don’t see your location data as a privacy issue, users who rely on being anonymous are the ones most at risk.”