This is the Problem with Soundcloud

This is what I don’t like about Soundcloud and why I’m not renewing my pro account. This song above is “In Dead We Dream” by Maylene and the Sons of Disaster. It’s supposed to be a Revolver Mag exclusive, but here it is available for me to embed. It also potentially lets me in to any other upcoming exclusive they have.

Update: A Soundcloud employee contacted us in the comments, and then by email, and it turns out there was some confusion. The quick explanation is that the secret code for one track might not necessarily work for another track. However, there are secret codes that will ‘unlock’ multiple tracks. The grey text is the original article. Below it, in dark text, I explain where the confusion was regarding the back-and-forth between us and Soundcloud.

By viewing the source of the webpage, the embed code for the player looks like this:

<embed type="application/x-shockwave-flash" width="100%" height="81" src="http://player.soundcloud.com/player.swf?url=http%3A%2F%2Fapi.soundcloud.com%2Ftracks%2F20382515%3Fsecret_token%3Ds-GfxMu&amp;show_comments=true&amp;auto_play=false&amp;color=000000" allowscriptaccess="always"></embed>

Alternatively, if you just hit the “info” button in the player above and then click the track title, it takes you the permalink for that track on Soundcloud, which also gives you the secret token that lets you see any private track. The URL looks like this:

http://soundcloud.com/revolvermag/maylene-and-the-sons-of/s-GfxMu

The thing is… that code’s not unique to the track, it’s unique to the entire account. It doesn’t change. The format for the URL is soundcloud/username/song-name/secret-code. Obviously the song-name is subject to a character limit, but as you can see it would be pretty easy to uncover a private track if you knew its details.

As a real-world example of this, KROQ has been exclusively premiering tracks for a while now. They recently had the world premiere of Bush’s “The Sound of Winter” (listen here) that they posted to their website late on July 21st. However, they put it on Soundcloud on the 20th, and when I heard they were premiering it the next day, I went straight to the private page for it and listened to it. How? Because they always use /artist-name-song-name/ like everybody else does. Try it out the next time they’re premiering a track. It’s been the same for every one they’ve done so far, and they always put it online at least a day in advance (although if they read this, maybe not anymore).

Obviously KROQ, Revolver Mag, tunelab (I realized this when I saw the play count going up on private tracks for a band I was working with), and others can circumvent this by using random characters as the track names, but nobody in our position wants to do that, because that’s what shows up in the player.

I approached them via their help forums months ago regarding the issue, and the answer was Full Thread): “Unfortunately it doesn’t look like SC is implementing anything like this right now (exactly what you want) and something along these lines might take a little while to develop if Soundcloud shows interest in it. Also, I am assuming they would have to see a lot of interest generated from users in order to start going in this direction.”

All they would have to do is offer something like Vimeo does, like domain-level privacy (only allowing embedding on certain domains) and/or an actual password protection mechanism. A lower tech but still effective solution would be to allow the track to be named one thing, but the URL to be able to be different, so you could make it a random string.

Either way, Soundcloud is really not a good option for anybody that wants to keep anything private at all. This and the price of accounts I talked about in the article Building a Better Soundcloud really make me wish there was an alternative out there.

*****
So here’s what we were able to figure out: First off, there is a way to change the URL without the player’s display changing; I had simply missed it and the person that helped me in their forum apparently didn’t know either. As for the secret tokens: On Soundcloud you have “tracks” and then you can also have “sets” that contain tracks. If you have an account and simply have tracks on their own, say for example:

/username/track-01/secret567
/username/track-02/secret092

Then you actually cannot use the secret token from one track to access the other. However, if you put both of those tracks in a “set,” and then embed the set, it comes with its own unique secret token, for instance:

/username/SET1/set-secret123 which contains:
– /track-01/
– /track-02/

The tracks within that set still have their own unique secret code, and they can’t be used on each other. However, the set’s secret code can now be used to access any track within that set, like this:

/username/track-01/set-secret123
/username/track-02/set-secret123

And so on and so forth. When I had tested this on my own private tracks, it just so happened that they were all in the same set, and I had the set’s secret code. We’ve also determined that in the case of the radio station, the secret code I was using was the over-arching one, therefore it gave me access to everything within it. It was just a lucky coincidence that the first time they used it, it was embedded as a “set” with one track instead of just a “track.”

So if you’re like me and you’ve embedded a private set in the past, you may want to consider moving other private tracks out of that set, even if its no longer embedded anywhere, because anybody that still has that secret code can still access any track in that set. That includes if you’ve made the “set” public since then but still have “private” tracks in it. The bottomline is that each track does have its own unique secret code, but there still are secret codes that will work on multiple (or all) private tracks from a user.

The Soundcloud folks tell me that this is intended and not a bug/exploit, otherwise I wouldn’t post this without first giving them the opportunity to address it. I’d still like domain-level privacy (because as you see above, we could stream somebody else’s “exclusive”), and as you can see in a comment below they are looking into it.