In November 2022, I discovered a security flaw on the HDTracks website that could enable unauthorized free music downloads, including those marked for preorder.

Every album and track on HDTracks is assigned a unique ID. When a user purchases music from HDTracks and initiates the download process, the files are downloaded from a specific URL: https://hdtracks.azurewebsites.net/download. This URL is appended with the album, track ID, and a JWT (JSON Web Token) authentication signature.

However, I observed that the website was not thoroughly validating the JWT signature. This meant that a user could simply log into HDTracks, substitute the JWT in the URL with their own authentication signature, alter the album and track IDs, and start downloading music.

Upon discovering this, I promptly reported the issue to the HDTracks team. I was impressed by their swift response and immediate action to rectify the problem.