As a student, a bug in Yandex.Music found
The Yandex.Music service was born quite a long time ago, like its applications in the AppStore and GooglePlay, but only recently it was released on the Windows Phone platform.
Honestly, I downloaded it for idle curiosity, as it is more convenient to listen to Vkontakte’s music, and most importantly - for free. It was evening, there was nothing to do, and I decided to indulge in a new application. The visual performance was pleasantly surprised: everything is in the best traditions of the largest IT corporations.
“What is the bug itself,” you ask. And I will answer: in the version on Windows Phone you can listen to any song of any artist absolutely free, bypassing the subscription. The algorithm of actions is, in fact, very simple:
1. Go to the application and turn on any free selection of music.
2. Open the search and look for any song of any artist.
3. Click on it, a window appears requesting the need for a subscription, click "cancel".
4. Press the volume key, a window appears with the name of the playing track and the "forward \ back \ pause" buttons.
5. Click "forward" or "back."
')
As a result, the next song is included or the previous one from the one on which the subscription window appeared. And further, by pressing the "forward / back" keys, you can navigate through the "subscription" playlist for free.
I sent this information to Yandex (version 1.0). Almost a day later, a new version was released, in which at the moment (version 1.10) this vulnerability has not been fixed. As a reward, I was offered a whole month of free subscription to a service that I did not want to use successfully.
UPD :: At the moment, the vulnerability is fixed.
UPD2 :: After the article was published, a Yandex representative contacted me and wrote that I was awarded a prize of 10,000 rubles. At the moment they are paid to me.
Honestly, I downloaded it for idle curiosity, as it is more convenient to listen to Vkontakte’s music, and most importantly - for free. It was evening, there was nothing to do, and I decided to indulge in a new application. The visual performance was pleasantly surprised: everything is in the best traditions of the largest IT corporations.
“What is the bug itself,” you ask. And I will answer: in the version on Windows Phone you can listen to any song of any artist absolutely free, bypassing the subscription. The algorithm of actions is, in fact, very simple:
1. Go to the application and turn on any free selection of music.
2. Open the search and look for any song of any artist.
3. Click on it, a window appears requesting the need for a subscription, click "cancel".
4. Press the volume key, a window appears with the name of the playing track and the "forward \ back \ pause" buttons.
5. Click "forward" or "back."
')
As a result, the next song is included or the previous one from the one on which the subscription window appeared. And further, by pressing the "forward / back" keys, you can navigate through the "subscription" playlist for free.
I sent this information to Yandex (version 1.0). Almost a day later, a new version was released, in which at the moment (version 1.10) this vulnerability has not been fixed. As a reward, I was offered a whole month of free subscription to a service that I did not want to use successfully.
UPD :: At the moment, the vulnerability is fixed.
UPD2 :: After the article was published, a Yandex representative contacted me and wrote that I was awarded a prize of 10,000 rubles. At the moment they are paid to me.
Source: https://habr.com/ru/post/255475/
All Articles