Slashdot Mirror

← Back to Stories (view on slashdot.org)

Audiophile Torrent Site What.CD Fully Pwnable Thanks To Wrecked RNG (theregister.co.uk)

Posted by msmash on from the security-woes dept.

Reader mask.of.sanity writes: Users of popular audiophile torrent site What.CD can make themselves administrators to completely compromise the private music site and bypass its notorious download ratio limits thanks to the use of the mt_rand function for password resets, a researcher has found. From the report (edited and condensed):What.CD is the world's most popular high quality music private torrent site that requires its users to pass an interview testing their knowledge of audio matters before they are granted an account. Users must maintain a high upload to download ratio to continue to download from the site. [...] "I reported it a year ago, and they acknowledged it but said 'don't worry about it,'" said New-Zealand-based independent security researcher who goes by the alias ss23.

2 of 138 comments (clear)

  1. "audiophile" site... by Lumpy · · Score: 3, Interesting

    Yeah not much in real good audio there. Sorry but a CD rip to FLAC is a joke. call me when you have found that rare japan release on SACD and then ripped that to FLAC....

    Also their questionnaire is mostly Pseudo Knowledge and not real knowledge. Buddy of mine is an audio engineer with 2 degrees and he did not pass their test because he answered what was correct answers and not their audiophile misknowledge answers.

    --
    Do not look at laser with remaining good eye.
  2. Re:Monster[TM] Ethernet cables aren't good enough by ArmoredDragon · · Score: 3, Interesting

    I've been a member of W.CD for about a year, and that's not the type of site it is. Most torrent sites that host music haven't the slightest clue how to make sure it is a decent quality release. Similar to how TV and movie torrent sites have extensive rules for quality (similar to what scene releases have,) W.CD has its own rules that can guarantee you aren't going to waste ratio or time on a crap release. But they don't go to those silly analog extremes. For example, 192kbit VBR MP3 (aka LAME v2) is a perfectly acceptable encode there because it provides audible transparency. What won't be accepted is i.e. having a 128kbit CBR MP3, or having anything that is up-encoded to fit the rules (and yes, you can empirically measure when somebody has done this, W.CD even provides guides for doing so.)

    I personally am not an audiophile, nor am I a music enthusiast, but it's a nice site. In addition to music, it's also a wonderful site for college textbooks (I personally have uploaded several, including ones I've scanned myself.)