24 comments

[ 4.4 ms ] story [ 75.7 ms ] thread
They are sending a lot of info in that GET request:

http://ak-media.soundcloud.com/xpO4gBZA21w4.128.mp3?AWSAcces...

128 bitrate? Amazon access key Expires ?? No idea what gda is. Also their signature.

This is security 101 right? Or is this normal for a service of this kind? Also are they officially using the Soundcloud API? if yes, is this one of the responses of the API?

not sure on the security implications, but this could have easily been masked through some backend call.
what suggestions do you have on masking the url, would love to hear your input.
Couldn't you essentially call a handler on the Console.fm server which has the key already coded and it makes the request to SoundCloud?

This would avoid the fact that users could see the GET request to the SoundCloud API.

If you find a "hack" like this on a music website, keep it to your self. If you post about it, they'll try to fix it or obscure it but who knows if some guy at soundcloud will revoke their api key first or some major label dick will initiate legal proceedings forthwith. And then you've just kicked your favorite music site in the nuts, congratulations.

By the way, if you can stream it, you can download it, on any service. One-time use streaming keys are no defense against right clicking. It's just a matter of how much patience you have to expose the underlying URL.

Can you download the stream from Grooveshark? DRMed flash.
I have never actually tried to download the songs on grooveshark, I'm sure its possible though.
Let me know if you find out. I think it's much harder than the process outlined in the post.
(comment deleted)
yeah grooveshark is a tad more complicated. I can assure you, we will figure something out by the end of today that will close this issue.

looks to me like grooveshark is giving a stream.

Sure, like he said with enough patience you can. For instance if could write a custom audio driver in linux that dumps the bits to a file and then encode that.
No problem using GrooveWalrus. ;)
Won't the new Pandora HTML5 site have this same problem?
that will depend on if they are giving the user a true stream, or doing it as a progressive download. its pandora, I'd assume they would be streaming.
I thought they were going to get around this by using a hidden flash player but most reports I've seen says it's going to be pure HTML5. I wouldn't put it past tech writers to get something wrong but if it is as they say and is pure HTML5, then yes it could be done.
Any Pandora implementation has this problem; there is a command-line Pandora client, pianobar, which I trivially hacked to save to disk.

As long as there is DRM, there will be ways to trivially break DRM.

A lot of these services can be gamed and all the songs can be downloaded. You can easily download every song from turntable.fm as well, its not rocket science. Open up the Chrome developer console and look at the network tab...

We are working on securing/masking the url, but at the end of the day, Console.fm is not a true stream, so we cannot securely give the user the song with out the soundcloud .mp3

Please voice any advice you have on this issue or help out, open to suggestions as to we are looking into a proper fix right now.

If a sound (like a stream) is playing on your computer, it can be ripped directly from the playback device. I've done it in the past with complete preservation of the sound's fidelity, but I suppose it might not always be possible.
It's much easier than that, just take any song link that's not playing and open in a new tab, or just choose "Save link as...", works in Google Chrome. :)