This is such a great music service but I'm wondering who is behind it and why they provide it? It must be costing them something to host the site. Interesting that Cloudflare stats show its biggest user base is India.

you are viewing a single comment's thread
view the rest of the comments

[–] Coopr8@kbin.earth 6 points 2 weeks ago (2 children)

My bigger question is how secure is it? Looks like low trust score new Russian website, what's the chance of malware or other attacks?

[–] BlueRingedOctopus@lemmy.dbzer0.com 7 points 1 week ago (2 children)

It gives you literal FLAC files, how are they gonna be malicious!?

People need to stop over analyzing things, its just a qobuz ripper, people who want to help the community provide them with Qobuz tokens that don't expire as often as Deezer, now they just rip from Qobuz on your request, as simple as that. Firehawk is also building a similar site from scratch.

[–] chirping@infosec.pub 1 points 2 days ago

Well it's both possible, and has been done. both with mp3s and FLAC, not too long ago. It's not the format itself, but rather the applications parsing the files that are the target.

CVE-2023-37327: A remote code execution vulnerability in GStreamer’s FLAC file parser caused by an integer overflow. Carefully crafted FLAC files could exploit this flaw to run arbitrary code on the target system

https://nvd.nist.gov/vuln/detail/CVE-2023-37327#%3A%7E%3Atext=GStreamer+FLAC%2Ccode+on

[–] Coopr8@kbin.earth 6 points 1 week ago (1 children)

I mean, a website where you make requests to download many files are pretty ripe for a bate and switch scenario. That said, I'm looking for more cybersecuroty savvy folks than myself to chime in with the all-clear after doing some actual checks and analysis.

[–] ArcaneSlime@lemmy.dbzer0.com 4 points 1 week ago* (last edited 1 week ago) (1 children)

bate and switch

Is that when you use your left hand?

[–] Coopr8@kbin.earth 2 points 1 week ago (1 children)

Lol, yep, then do a malicious redirection attack after getting a large user base which forces a drive-by-download of a malware package alongside the requested FLAC file.

[–] ArcaneSlime@lemmy.dbzer0.com 1 points 1 week ago (1 children)

(The joke was: you mean "bait and switch." "Bate" is short for "masturbate.")

[–] Coopr8@kbin.earth 1 points 1 week ago

Yes, I know, thats why I lol'ed

[–] 10x10@lemmy.dbzer0.com 4 points 1 week ago* (last edited 1 week ago)

Im not aware its possible to put malware in a flac file and its still playable. There are a few examples from 2007-2008 but they were to do with flac media players. Microsoft showed you could corrupt the meta data but its then unplayable. I think BlueRingedOctopus comment has the right idea.