Spotify music converter TuneFab puts users at risk

TuneFab converter, used to convert copyrighted music from streaming platforms such as Spotify, Amazon’s Audible, or Apple Music, has exposed its users’ private data.

Cybernews research showed that the platform has exposed more than 151 million parsed records with users’ IP addresses, userArea, userIDs, emails, and device info.

The leak was caused by a misconfiguration on MongoDB, a document-oriented database platform, that left TuneFab’s data passwordless and publicly accessible.

The private data leak was identified on September 26th and indexed by public IoT search engines on the same day. The researcher contacted the company about the leak, and the misconfiguration was promptly fixed. Total exposure time was no longer than 24 hours. The company has yet to respond to a Cybernews request for an official comment on the matter.

According to Bob Diachenko, a cybersecurity researcher who first identified the leak, more than 280GB of exposed data could assist threat actors in the enrichment of data from previous leaks.

The company is registered in Hong Kong. Across eight apps created by TuneFab, it provides services, often considered illegal, to convert audio tracks on streaming platforms into MP3, M4A, WAV, FLAC, AIFF, AAC, and ALAC formats and download files to users’ devices, bypassing digital rights protection.

Do you want to know which are the streaming services covered by TuneFab? Take a look at the original post on CyberNews

https://cybernews.com/news/spotify-music-converter-puts-users-at-risk/

About the author: Paulina Okunytė, Journalist at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Spotify music converter)