Critical vulnerability in Shazam exposes over 100 million users’ location data

A British security specialist reported finding a critical vulnerability in Shazam, the popular music recognition app, which would allow threat actors to extract a user’s location data by sending a malicious URL. The flaw lies in the app for iOS and Android.

As you may remember, this application can identify the name of songs, movies and TV shows using a small audio sample captured by the microphone of the device thanks to the “deeplink” technology. The expert mentions that the flaw exists because an exported deeplink that loads websites into a Shazam-integrated browser does not validate its parameters correctly, which could trigger in the application’s engagement.

La imagen tiene un atributo ALT vacío; su nombre de archivo es shazam19012021.jpg
SOURCE: Ash King

Malicious hackers could exploit the flaw by sending a malicious URL that will be opened by Shazam when the target user clicks on the received link. Shazam will then open WebView, its built-in browser, and run the payload, resulting in sending the device’s location data to an attacker-controlled server.

At the time of its patching, the flaw could have affected Shazam’s more than 100 million users. The vulnerability was fixed after Apple acquired the app, although it was mentioned that the company did not consider this report to meet the requirements set out in its bug bounty program, so the researcher was not compensated.

By taking his report to Google, the researcher received a similar response: “Google does not consider location data leaking as a serious security risk,” the expert said. However, the company mentioned through the Play Store that users could see their location data exposed if they did not use the latest version of Shazam.