<<< DISCLAIMER >>> Please note that I have not written this article to enable people to steal music from MySpace artists - This is a ‘proof of concept‘ article. Please, do not steal music! If you are going to steal it then please do so knowing you are committing a crime and myself and theReformed have nothing to do with it.
I originally discovered this technique as I was researching the concept of securing MP3 streams for a project I am working on. I originally discovered this information by using Ethereal and Fink. I then remembered one of the most useful, but probably most under-used features of Safari. The ‘Activity‘ window allows you to view all the connections the browser is making to a website, which of course can reveal all kinds of goodies.
This article will show you how you can ‘snatch‘ (I don’t like the word steal) music from MySpace artists, which I reiterate that I do discourage, just by following the trail of breadcrumbs left behind. Its very simple, too simple and quite frankly I am surprised this hasn’t been blown wide open.Â
First of all lets take a look at a tool that can make this all possible, the Activity window within Safari.
The Activity window provides you with a complete break-down of all the data your browser is currently receiving / requesting. If you study this window you may stumble over some rather interesting data.
So lets get on with the show. I am going to ‘take‘ the new single from the White Stripes called ‘Icky Thump‘. The track is listed on their MySpace profile music player, but its not available for download. So I can either stream it (and record the stream which is a hassle) or I can simply ’snatch’ it. So lets have a look at The White Stripes MySpace profile and see the player.
 
Of course this is the same player we have all seen a hundred thousand times, nothing special - however if you look at the player you will notice that all the singles are NOT available for download.
Normally web based flash MP3 players use a XSPF formatted XML playlist, the HTML <embed> tag will normally link to the .swf file of the player as well as including arguments that specify the XML playlist location. Looking at the HTML source, there is no XSPF link to a playlist, which is understandable - if you have the play list you know wherethe mp3’s are. So the HTML source gives us the following link (which is the actual link to the MySpace flash player):
http://lads.myspace.com/music/musicplayer.swf
?n=aHR0cDovL211c2ljLm15c3BhY2UuY29t&t=wVYXulxM
utRGBu48BHqGUCHtkvL8xYwHpBYHQlFuVha0sJwFv6oALY1
nuFHCtV1sMwS+yl+WtWEojft5d7mlqg==
&u=LTE=&a=0&d=MTYzOTY1MzIxXjExODc1MTI1MjU=Â
So if you try and view that link you will get a rather massive flash movie loading in your browser! thats no good, but we have been ignoring our Activity window when we look at the profile.Â
If you look at your activity window, and scroll down, you will eventually notice something rather interesting, Its a link to a ‘musicplayerxml.ashx’ the exact link is http://mediaservices.myspace.com/services/media/musicplayerxml.ashx?b=163965321
(Notice that the ‘b’ parameter is actually the ID of the artist, if you want to generate the playlist for an artist, just add the ID of the artist’s MySpace profile ID)
So if we look at the XML we get some of the following:
If you have never seen XML this might look a little frightening (however if you have never seen XML before - what the heck are you doing reading this article?) Anyway we now have our playlist! we can see all the information we need. Â
Now within each <song> there are various parameters, however the one to look at is the ‘durl’. So if we extract the ‘durl‘ of the <song> that we want (which is “Icky Thump”) we have a link to an MP3! that link is http://cache09-music02.myspacecdn.com/67/std_b8fc0a50718a6b6350f08cd0ffb89002.mp3Â
So lets stick that in our browser and see what we see!
And there you have it! like magic. I now have a direct link to the ‘Icky Thump’.
So all I have to do now to save it, is use the QuickTime ‘Save As Source’ Option. Then, its on my Desktop ready to be imported into iTunes or what ever you use (However I deleted it because I don’t steal or even ’snatch’ music).
Thats how simple it is. MySpace have really left the doors wide open on this one. If only they employed some simple techniques like streaming the MP3 as HTML, this would confuse the hell out of your browser, but wouldn’t phase a Flash media player. Why not use Flash Media Server or even the Red 5 open source version?
Please leave your comments - or suggestions on fixes, maybe the chaps over at News Corp will wise up.
<<< UPDATE 25th August >>> If you are seeing an HTTP Error consisting of a ‘401: Unauthorized’ message, or you are presented with a traditional HTTP_AUTH username and password popup, then you might be one of the people who are ‘blocked’ - it seems there is a 50/50 chance of this. So, in order to get around it, simply copy out the MP3 location from the ‘durl’ parameter and go to the Unblockcity.org web proxy and paste the URL of the MP3 in there. That should work fine for you.
Dave Shanley
(Masterful Hax0r & All Round PITA)
Thanks Dave
Nice investigation, I’m not a safari user so I tried to get the ashx via the URLsnooper tool and then I got the durl parameter then you are able to open it with your favorite browser, in my case I did it with firefox.
Regards
Hi again
I tried now with safari but seems myspace fix the hole cause I’m getting a 401 permissions error, or my durl parameter is wrong but I don’t think do since I follow your steps, well however excelent work!!
@mando
I’m not sure what you’ve done wrong, but I’ve replicated this issue in the last 15 minutes to ensure the integrity of part of the method. You might want to go through your steps again :).
Thanks J. Longoria
I’ll try later, when I did it with firefox I was at home and was succesful, now at office the proxy must be filtering the request.
you said that they should stream the
mp3 as html but this would not be a good
fix as content-types can be enforced and
applications like wget could be used..
Cool easy work!!! Nice one..
@[fazed]
You are right yes, wget and other simple applications could get around it, however it would make your average user a little more confused when they were presented with reams of binary code instead of a nice MP3 player plugin.
@Dave,
The vulnerability disclosure made it onto TheRegister (here) with a host of interesting responses in the comments. I think it is important for people to understand that this is more about MySpace ’selling’ the content as protected to it’s users, when it indeed is not.
As I posted on RSnake’s blog, there are ramifications across the industry(s) in the handling of this type of content - this being a perfect example of one company failing to securely distribute the content on behalf of it’s clientele (entertainment/music industry).
I sincerely wish that this exposure will push MySpace to correct itself for the sake of their proprietors.
Until rather recently you could use myspacemp3.com to do that same thing. He basically automated the process and built it into a web interface. The source code is available at:
http://myspacemp3.org/
@Jordan
I get a Error 404 from that site.
can anyone download this? http://cache10-music02.myspacecdn.com/77/std_0ca66369b72b897e94b93ec306426edb.mp3
i can’t!!!
http://www.eches.net/myspace-music/
Try that
I’ve found that this site: http://www.myspacegrab.com is great. Always works and always downloads a clean copy.
I’ll never use anything else.
Anyone recommending ’sites’ for downloading MySpace music, you are missing the point of this article, its a DISCLOSURE not a ’steal myspace music howto’
If you want to learn how its done - read the article. Otherwise go and use a site to steal music you pirate.
Your site is great! It is very impressive. I’ve enjoyed the visit!
streaming mp3 over flash is an open barn for downloaders. safari makes that even more clear. the security issue is with flash and myspace, not with safari. the files can be protected quite easily using a session token and a referer check, so a click the activity window will not do anything anymore. myspace scripters (they’re not programmers, are they?) have been just too lazy to implement that. and adobe should also warn it’s customers who assume that streaming like that is safe.
btw - this works with all flash streamed content that isn’t download protected. youtube, you name it. the process is very simple, which your description does not make clear. start the track or movie and check activity for the only file that’s in megabytes range, double click and download will start. in case of youtube you’ll have to rename the received file to something.flv. you’ll also need a (free) quicktime plugin to watch flv files directly…
@Andy
Hey, congratulations for actually giving a more complex explanation than his brief article defined above.
Additionally, perhaps literacy isn’t your strong point - I say this because never at one time in his article was he attributing the ‘vulnerability’ to Safari - he was actually quite clear on what was causing this and left it open to discussion about what could be done to fix the problem. You did a fine job of rewording exactly what he related beforehand, I admire your incredible resolve to pad your ego.
Perhaps you could have just posted your take on how you’d have implemented a fix instead of criticizing someone else’s communications? That would have been much more constructive wouldn’t it have? Your commentary is about as negative as the individuals complaining that MySpace will end up closing the hole, preventing them from STEALING someone else’s hardwork.
@Dave
Keep up the effort you are all making, unlike my counterpart above, I believe most of us appreciate your initiative at forcing MySpace’s hand to close some bugs for those of us that are trying to make a living and using that medium.
@Andy
I would have to agree with Jim above, you do seem rather contrite and contempable in your ‘tone’ above. We need less of that and more innovative thinking or commentary on the Internet. Looking at the article, I find that it was a draft on the method to be used - one method out of perhaps several avenues to achieve the same result. I don’t at any time believe he is attempting to pass this off as a one-off vulnerability and it seems to be quite clear the opposite.
Jon said it best above, “… there are ramifications across the industry(s) in the handling of this type of content - this being a perfect example of one company failing to securely distribute the content on behalf of it’s clientele (entertainment/music industry)…” . So, why is this important? Well, the fact is that a company such as MySpace is dubiously deceiving it’s participating clientele into believing their work is securely hosted - regardless of the quality of content, etc., let’s stay on the real issue here - on their publishing platform. It has rather large implications to the bottom-lines of not just recording artists, their distribution firms, but especially to Joe Blow trying to break into that market and has no other efficient means or support network to release through. It boils down to the very principle of integrity and in this case MySpace is lacking in it.
To me, what this disclosure defines is another vote for keeping corporate global entities accountable to their users. I share Jim’s sentiments and appreciate the commentary.
@jim & djmckey
my point was the following: the problem is the ignorant use of adobe flash.
whatever tool you use to grab the files is really of no importance. firefox allows many plugins that can do much more nasty things than activity. the headline of the article is about myspace and safari and i think this creates quite a wrong impression about the issue. the article is quoted on that on quite some big websites.
i also said that it’s much easier than the above author describes, as you just have to double click the mentioned entry in activity, rather than copying links out of a confusing xml dump. i’m sorry if i misread something.
i also wrote about a possible way to secure the files. I’m sure it’s not waterproof, but requires a lot more knowledge to hack. I’m sure it’s easy to find more information online how to do things like that, don’t expect anyone to teach you. do your own research. besides i’m no good in tutorials.
and please, and my original comments were not negative in any way (yours was, though). i don’t really understand why you get so upset!? you’re not a myspace programmer, are you? if, then, please forgive.
Hey man, thank you it’s very usefull
and another point (yeah its a victory for me ..a little one )
I learned how it works at the movies from myspace thanks to your tutorial.
@Andy
You’re missing the point though. This isn’t about the tool itself used to acquire it - double-clicking the link is a scriptkiddie move (i.e. action without comprehension of what the problem is).
It IS about HOW this happens, broken down into the guts of what the issue is and the fact that MySpace is championing it as a protected service when it is not - regardless if it was based off Flash or not, that isn’t so relevant because Flash is only providing the medium/pathway for gathering the data from a system that carries no session token and isn’t/shouldn’t be expected to protect the content itself.
The headline is obviously mentioning Safari as the tool of choice because it lends to providing a concise breakdown without any add-in/plug-in necessary of the ‘activity’ taking place. I would tend to believe that it has to do with the fact that the author is a Apple Macintosh user.
“This article will show you HOW you can ’snatch’ (I don’t like the word steal) music from MySpace artists, which I reiterate that I do discourage, just by following the TRAIL OF BREADCRUMBS left behind. Its very simple, too simple and quite frankly I am surprised this hasn’t been blown wide open.” THAT is the meat of the topic you should be paying attention to.
well, your interpretation of between the lines philosophies differs from mine. i read an article about a technical issue, that people should be aware of. especially everyone who’s publishing media content via flash. i think you basically want to blame myspace for their lazyness and i totally agree on that.
but in the first place, i would have never have assumed that myspace is a secure place to publish music anyway. it is a useful platform to reach a wide variety of people interested in many flavours of music and for the artists to get direct feedback on their works. it is up to the musician to decide on the material he/she puts up there. no one forces them to upload full tracks (and one minute edits are quite common there). from what i’ve heard on the site, also the audio compression makes the files not very intersting to listen to them on a home stereo. so i don’t care about myspace so much.
but most artists have also little flash based websites that use higher quality mp3s, that can be ’snatched’ in the exact same way and they totally trust flash streaming on being a safe way to play their files on the web. i haven’t seen any musicians site using other technologies than flash in the last years. the files they ’stream’ are basically the same quality as in any online mp3 shop. that is a problem that goes a bit beyond the lax myspace security and comes with adobe flash.
my point is that artits should be aware of that.
“but most artists have also little flash based websites that use higher quality mp3s, that can be ’snatched’ in the exact same way and they totally trust flash streaming on being a safe way to play their files on the web. i haven’t seen any musicians site using other technologies than flash in the last years. the files they ’stream’ are basically the same quality as in any online mp3 shop. that is a problem that goes a bit beyond the lax myspace security and comes with adobe flash.”
@Andy
You’ve missed the point, again. It boils down to MySpace –selling the concept– as a protected service. The other artist’s sites you’ve mentioned, may or may not be doing this. What this article does is establish that there is an issue, a major issue, with the protection of the content and then defines that MySpace is ludicrous enough to deceive their users into believing said content is protected.
Quite sidelining the conversation with red herring arguments, you know you’ve misinterpreted the intent of the article. However, instead of admitting to this, you dubiously intend to carry out your points when they’ve got less relation to the scope of the article as a whole. This has little effect on anyone else, but makes you look more egotistical and a general annoyance to the readers of this site.
If you want do delete your site from our spam bases - just email us with domain of your site:
abuse-here@inbox.ru
thank you!
@BT Clemson, djmckey, jim
“…but makes you look more egotistical and a general annoyance to the readers of this site…”
tolerating different perspectives may not be your strongest talent. was hoping for a bit more interesting conversation here, giving up…
Hi there I came across this posting after googling for myspace music. Thanks for the interesting read. I have often thought about OSURE: Snatching Protected MySpace Music Using Safari at theReformed too. Thanks for sharing. On Monday I will have time to look into it more.
i’m computer illiterate, but how do you get the HTML source?
okay, now that myspace is out of the way..does anyone know how to download protected music off of sites like purevolume, stage.fm, etc? i tried using the same method as i did with myspace on those sites, but it didn’t work like the others. any help?
It’s great (in a weird way) to see that no matter what these companies are trying to do to stop it, there’s always people like you lot staying one step ahead and making sure people can still steal. I’m not poor by any means but I like to get things for free whenever possible, and for me I make a point of taking from large corporations since technically it’s impossible to steal from them anyway (anyone who has ever worked in the Retail industry and knows about shrinkage will know). Sure the artist’s losing out on sales, but I don’t think they’re losing much sleep over it. With the amount of attention-whoring and saturation they have going for them these days they’re finding more sheep than ever that will gladly and blindly throw their hard earned cash at them.
Maybe if it was like the good old days where you could go into a record shop, buy an album and know that 75% of your cash was actually *going* to the artist, and not the label, then I would feel more comfortable about paying for music (and by the way I ain’t all bad, I bought Radiohead’s new album online for £30, where they released it themselves with no record label and you could pay them ANY price, what you thought the album was worth- I paid double). When more artists start doing that, Ill stop downloading.
Time for me to go exploring and downloading again
@Edward
Encouraging the public to steal music is absolutely not the point of the article in it’s entirety.
I don’t know how people, such as yourself, come to these conclusions, especially when the author specifically denounced the practice to ensure this is seen as a proof-of-concept and not a article encouraging malicious, criminal enterprise.
Here’s another thing. I can’t save the .mp3 unless I have a QUICKTIME PRO account? is there a way around it?
God some of you people are full of it. This article has done nothing but highlight a fault and now every ahole and his dog will go and try to RIP MUSIC OFF MYSPACE well done you tosser!
@Edward Teach
“Sure the artist’s losing out on sales, but I don’t think they’re losing much sleep over it. With the amount of attention-whoring and saturation they have going for them these days they’re finding more sheep than ever that will gladly and blindly throw their hard earned cash at them.”
Idiot!!!! apart from the Madonnas Kylies of the world the rest of us need EVERY CENT to pay our mortgage, eat, live, pay for fuel ect we are not all rich as you seem to think. How about I come to your job and take 50% of your pay because I can? you cant see past your own nose!
Because of the sheer amount of idiotic ‘please hack’ requests and other ignorant comments associated with committing criminal acts or servicing self-serving ideals by a small percentage of participants, we’ve decided to shutoff any further commenting to this article.
We apologize to those of you that have or wish to submit valid questions or argument and encourage you to contact us via our e-mail instead. Thank you for your understanding.