Grooveshark Mobile player is horribly insecure

It is incredibly easy to rip streams onto mp3 files with the new player.  Start playing a song,  then open your browser developer console, hit the network tab, right click on the stream.php, copy as curl, paste into a terminal window and you’ve got yourself a 64bit mono mp3 of the song.


If you try these shenanigans with Rdio, you get a 403 Forbidden error.  The Grooveshark is wide open. It’s a music free for all.  How can Grooveshark still get away with this stuff?

  1. #1 by Erik on September 22, 2013 - 10:32 pm

    I don’t think Grooveshark pays any royalties so it would make sense that they would allow such a simple hack.

  2. #2 by indiloop on September 22, 2013 - 10:33 pm

    From what I know Grooveshark is outlawed by the music industry because they refuse to pay royalties. So for that reason I’m not so surprised that they would allow such a hack.

  3. #3 by Theorem on September 23, 2013 - 4:36 am

    It’s just as easy with the old flash interface: it transfers MP3s over HTTP, so you can capture them by running your traffic through a (local) proxy. If Rdio transfers songs over HTTP, the same technique should work there.

    In the end, if I can hear the music, then I can record the music. As a music provider, you just have to trust me not to.

  4. #4 by Svante Stadler on September 23, 2013 - 5:29 am

    64kbps mono? Is that even considered worth protecting these days? You can get higher quality from youtube, and those files are also wide open.

    Other than that, the app doesn’t even work on firefox (for me), so it’s probably an early version. For what it’s worth, their regular (flash-based?) page do apply some measures to protect file ripping.

  5. #5 by Sameer on October 20, 2013 - 2:09 pm

    Yeah, @Theorem is absolutely correct. It’s a plain old method and in fact I had seen such hack is possible on many other music portals alike Grooveshark. Also if you have IDM installed on your Windows computer, then it automatically allows you to download the track, once you push the play button.

%d bloggers like this: