{"id":1981748,"date":"2023-02-26T21:10:56","date_gmt":"2023-02-27T02:10:56","guid":{"rendered":"https:\/\/wordpress-1016567-4521551.cloudwaysapps.com\/plato-data\/beware-rogue-2fa-apps-in-app-store-and-google-play-dont-get-hacked\/"},"modified":"2023-02-26T21:10:56","modified_gmt":"2023-02-27T02:10:56","slug":"beware-rogue-2fa-apps-in-app-store-and-google-play-dont-get-hacked","status":"publish","type":"station","link":"https:\/\/platodata.io\/plato-data\/beware-rogue-2fa-apps-in-app-store-and-google-play-dont-get-hacked\/","title":{"rendered":"Beware rogue 2FA apps in App Store and Google Play \u2013 don\u2019t get hacked!"},"content":{"rendered":"<div class=\"entry-prefix\">\n<div class=\"entry-author\"> <span class=\"by\">by<\/span> <a href=\"https:\/\/nakedsecurity.sophos.com\/author\/paul-ducklin\/\" title=\"Posts by Paul Ducklin\" class=\"author url fn\" rel=\"author\">Paul Ducklin<\/a> <\/div><\/div>\n<p><em>Thanks to <strong>Tommy Mysk<\/strong> and <strong>Talal Haj Bakry<\/strong> of <a href=\"https:\/\/twitter.com\/mysk_co\" rel=\"nofollow\">@mysk_co<\/a> for the impetus and information behind this article. The duo describe themselves as \u201ctwo iOS developers and occasional security researchers on two continents.\u201d In other words, although cybersecurity isn\u2019t their core business, they\u2019re doing what we wish all programmers would do: not taking application or operating system security features for granted, but keeping their own eyes on how those features work in real life, in order to avoid tripping over other people\u2019s mistakes and assumptions.<br \/>The featured image above is based on one of their tweets, which you can see in full below.<\/em><\/p>\n<p>Twitter recently <a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/02\/20\/twitter-tells-users-pay-up-if-you-want-to-keep-using-insecure-2fa\/\">announced<\/a> that it doesn\u2019t think SMS-based two-factor authentication (2FA) is secure enough any more.<\/p>\n<p>Ironically, as we explained last week, the very users for whom you\u2019d think this change would be most important are the \u201ctop tier\u201d Twitter users \u2013 those who pay for a Twitter Blue badge to give them more reach and to allow them to send longer tweets\u2026<\/p>\n<p>\u2026but those pay-to-play users will be allowed to keep using text messages (SMSes) to receive their 2FA codes.<\/p>\n<p>The rest of us need to switch over to a different sort of 2FA system within the next three weeks (before Friday 2023-03-17).<\/p>\n<p>That means using an app that generates a secret \u201cseeded\u201d sequence of one-time codes, or using a hardware token, such as a Yubikey, that does the cryptographic part of proving your identity.<\/p>\n<aside id=\"sophos_ad-3\" class=\"widget sophos-inline-ad sophos_widget_ad\"> .s-button+.s-button { margin-left: .3125rem; } .s-button { transition: all .15s linear; font-size: .875rem; line-height: 1.5; color: #f2f2f2; font-family: SophosSansMedium, Helvetica Neue, Helvetica, Arial, sans-serif; font-weight: 400; font-style: normal; display: inline-block; padding: .3125rem 1.25rem; cursor: pointer; text-align: center; text-decoration: none; border: 1px solid #005bc8; border-radius: 3px; background-color: #005bc8; text-shadow: none; } .s-button:hover { text-decoration: none; color: #fff; border-color: #002d62; background-color: #002d62; } .s-button&#8211;white, .s-button&#8211;white:hover { color: #005bc8 !important; border-color: #fff; background-color: #fff; } .s-ad-sophos-mdr { font-size: 1rem; line-height: 1.5; color: #242629; font-family: SophosSansRegular, Helvetica Neue, Helvetica, Arial, sans-serif; font-weight: 400; font-style: normal; position: relative; max-width: 769px; margin: 15px auto; padding: 30px 30px 25px; transition: box-shadow .25s cubic-bezier( .645, .045, .355, 1 ); text-align: center; background-color: #0d141d; background-repeat: no-repeat; background-position: 50%; background-size: cover; box-shadow: 0 0 0 0 0 transparent; background-color: #005bc8; background-image: none; background-position: 0 0; } .s-ad-sophos-mdr__title { font-size: 2rem; line-height: 1.125; margin-bottom: 4px; color: #fff; } .s-ad-sophos-mdr__text { font-family: SophosSansLight, Helvetica Neue, Helvetica, Arial, sans-serif; font-weight: 400; font-style: normal; font-size: 17px; color: #fff; } .s-ad-sophos-mdr__action { margin-top: 15px; } .s-ad-sophos-mdr__action .s-button { color: #fff; } .s-ad-sophos-mdr__link-wrapper { text-decoration: none; } .s-ad-sophos-mdr__link-wrapper:hover .s-ad-sophos-mdr { box-shadow: 0 5px 10px 0 rgba( 0, 0, 0, .15 ); } .s-ad-sophos-mdr__sophos-logo { position: absolute; top: 15px; right: 15px; } .s-ad-sophos-mdr__sophos-logo-svg { display: inline-block; width: 64px; height: 11px; vertical-align: top; background-repeat: no-repeat; background-size: 64px 11px; } .s-ad-sophos-mdr__title { font-family: SophosSansSemibold, Helvetica Neue, Helvetica, Arial, sans-serif; font-weight: 400; font-style: normal; font-size: 28px; font-weight: 700; line-height: 1; margin-bottom: 10px; text-align: left; } .s-ad-sophos-mdr__title svg { max-width: 100%; } .s-ad-sophos-mdr__text { font-size: 16px; line-height: 1.25; text-align: left; } .s-ad-sophos-mdr__action { text-align: right; } .s-ad-sophos-mdr .s-button { border-radius: 20px; } @media (min-width:769px) { .s-ad-sophos-mdr__text { margin-right: 140px; } .s-ad-sophos-mdr__action { position: absolute; right: 30px; bottom: 30px; } } @media (max-width:768px) { .s-ad-sophos-mdr { padding-top: 50px; } .s-ad-sophos-mdr__title { font-size: 1.625rem; } .s-ad-sophos-mdr__text { font-size: 16px; } .s-ad-sophos-mdr { padding-top: 30px; } } <\/aside>\n<h2>Hardware keys or app-based codes?<\/h2>\n<p>Hardware security keys cost about $100 each (we\u2019re going by Yubikey\u2019s approximate price for a device with biometric protection based on your fingerprint), or $50 if you\u2019re willing to go for the less-secure sort that can be activated by the touch of anyone\u2019s finger.<\/p>\n<p>We\u2019re therefore willing to assume that anyone who has already invested in a hardware security token will have done so on purpose, and won\u2019t have bought one to leave it sitting idly around at home.<\/p>\n<p>Those users will therefore already have switched away from from SMS-based or app-based 2FA.<\/p>\n<p>But everyone else, we\u2019re guessing, falls into one of three camps:<\/p>\n<ul>\n<li><strong>Those who don\u2019t use 2FA at all,<\/strong> because they consider it an unnecessary additional hassle when logging in.\n<\/li>\n<li><strong>Those who turned on SMS-based 2FA,<\/strong> because it\u2019s simple, easy to use, and works with any mobile phone.\n<\/li>\n<li><strong>Those who went for app-based 2FA,<\/strong> because they were reluctant to hand over their phone number, or had already decided to move on from text-message 2FA.\n<\/li>\n<\/ul>\n<p>If you\u2019re in the second camp, we\u2019re hoping you won\u2019t just give up on 2FA and let it lapse on your Twitter account, but will switch to an app to generate those six-digit codes instead.<\/p>\n<p>And if you\u2019re in the first camp, we\u2019re hoping that the publicity and debate around Twitter\u2019s change (was it really done for security reasons, or simply to save money on sending so many SMSes?) will be the impetus you need to adopt 2FA yourself.<\/p>\n<h2>How to do app-based 2FA?<\/h2>\n<p>If you\u2019re using an iPhone, the password manager built into iOS can generate 2FA codes for you, for as many websites as a you like, so you don\u2019t need to install any additional software.<\/p>\n<p>On Android, Google offers its own authenticator app, unsurprisingly called <em>Google Authenticator<\/em>, that you can get from Google Play.<\/p>\n<p>Google\u2019s add-on app does the job of generating the needed one-time login code sequences, just like Apple\u2019s <em>Settings<\/em> &gt; <em>Passwords<\/em> utility on iOS.<\/p>\n<p>But we\u2019re going to assume that at least some people, and possibly many, will perfectly reasonably have asked themselves, <em>\u201cWhat other authenticator apps are out there, so I don\u2019t have to put all my cybersecurity eggs into Apple\u2019s (or Google\u2019s) basket?\u201d<\/em><\/p>\n<p>Many reputable companies (including Sophos, by the way, for both <a href=\"https:\/\/apps.apple.com\/app\/sophos-intercept-x-for-mobile\/id1086924662\">iOS<\/a> and <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.sophos.smsec\">Android<\/a>) provide free, trustworthy, authenticator utilities that will do exactly what you need, without any frills, fees or ads, if you understandably feel like using a 2FA app that doesn\u2019t come from the same vendor as your operating system.<\/p>\n<p>Indeed, you can find an extensive, and tempting, range of authenticators just by searching for <em>Authenticator app<\/em> in Google Play or the App Store.<\/p>\n<h2>Spoilt for choice<\/h2>\n<p>The problem is that there is an improbable, perhaps even imponderable, number of such apps, all apparently endorsed for quality by their acceptance into Apple\u2019s and Google\u2019s official \u201cwalled gardens\u201d.<\/p>\n<p>In fact, friends of Naked Security <a href=\"https:\/\/twitter.com\/mysk_co\" rel=\"nofollow\">@mysk_co<\/a> just emailed us to say that they\u2019d gone looking for authenticator apps themselves, and were somewhere between startled and shocked at what they found.<\/p>\n<p>Tommy Mysk, co-founder of @mysk_co, put it plainly and simply in an email:<\/p>\n<blockquote>\n<p>We analysed several authenticator apps after Twitter had stopped the SMS method for 2FA. We saw many scam apps looking almost the same. They all trick users to take out a yearly subscription for $40\/year. We caught four that have near identical binaries. We also caught one app that sends every scanned QR code to the developer\u2019s Google analytics account.<\/p>\n<\/blockquote>\n<p>As Tommy invites you to ask yourself, in a series of tweets he\u2019s posted, how is even a well-informed user supposed to know that their top search result for \u201c<em>Authenticator app<\/em>\u201d may in fact be the very one to avoid at all costs?<\/p>\n<p>Imposter apps in this category, it seems, generally try to get you to pay them anywhere from $20 to $40 every year \u2013 about as much as it would cost to buy a reputable hardware 2FA token that would last for years and almost certainly be more secure:<\/p>\n<div>\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Many of these suspicious authenticator apps use this technique to trick users. After you finish the welcome wizard after the first launch, you get the in-app purchase view. And the x button to dismiss the view appears after a few seconds (upper right corner)<a href=\"https:\/\/twitter.com\/hashtag\/AppStore?src=hash&amp;ref_src=twsrc%5Etfw\">#AppStore<\/a> <a href=\"https:\/\/t.co\/sgxEo5ZwF0\">pic.twitter.com\/sgxEo5ZwF0<\/a><\/p>\n<p>\u2014 Mysk \ud83c\udde8\ud83c\udde6\ud83c\udde9\ud83c\uddea (@mysk_co) <a href=\"https:\/\/twitter.com\/mysk_co\/status\/1627698667237912577?ref_src=twsrc%5Etfw\">February 20, 2023<\/a><\/p>\n<\/blockquote>\n<\/div>\n<p>When we tried searching on the App Store, for example, our top hit was an app with a description that bordered on the illiterate (we\u2019re hoping that this level of unprofessionalism would put at least some people off right away), created by a company using the name of a well-known Chinese mobile phone brand.<\/p>\n<p>Given the apparent poor quality of the app (though it had nevertheless made it into the App Store, don\u2019t forget), our first thought was that we were looking at out-and-out company name infringement.<\/p>\n<p>We were surprised that the presumed imposters had been able to acquire an Apple code signing certificate in a name we didn\u2019t think they had the right to use.<\/p>\n<p>We had to read the company name twice before we realised that one letter had been swapped for a lookalike character, and we were dealing with good old \u201ctyposquatting\u201d, or what a lawyer might call <em>passing off<\/em> \u2013 deliberately picking a name that doesn\u2019t literally match but is visually similar enough to mislead you at a glance.<\/p>\n<p>When we searched on Google Play, the top hit was an app that @mysk_co had already tweeted about, warning that it not only demands money you don\u2019t need to spend, but also steals the <em>seeds<\/em> or <em>starting secrets<\/em> of the accounts you set up for 2FA.<\/p>\n<p>Remember the secret string <code>6QYW4P6K\u00adWALGCUWM<\/code> in the QR code, and the TOTP numbers <code>660680<\/code> that you can see in the images below, because we\u2019ll meet them again later on:<\/p>\n<h2>Why seeds are secrets<\/h2>\n<p>To explain.<\/p>\n<p>Most app-based 2FA codes rely on a cryptographic protocol known as TOTP, short for <em>time-based one-time password<\/em>, specified in <a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc6238\" rel=\"nofollow\">RFC 6238<\/a>.<\/p>\n<p>The algorithm is surprisingly simple, as you can see from the sample Lua code below:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/wordpress-1016567-4521551.cloudwaysapps.com\/wp-content\/uploads\/2023\/02\/beware-rogue-2fa-apps-in-app-store-and-google-play-dont-get-hacked.png\" alt width=\"768\" height=\"348\" class=\"aligncenter size-full wp-image-855316\"><\/p>\n<p>The process works like this:<\/p>\n<p>A. Convert the seed, or \u201cstarting secret\u201d, originally provided to you as a base32-encoded string (as text or via a QR code), into a string of bytes [line 4].<\/p>\n<p>B. Divide the current \u201cUnix epoch time\u201d in seconds by 30, ignoring the fractional part. The Unix time is the number of seconds since 1970-01-01T00:00:00Z [5].<\/p>\n<p>C. Save this number, which is effectively a half-minute counter that started in 1970, into a memory buffer as a 64-bit (8-byte) big-endian unsigned integer [6].<\/p>\n<p>D. Hash that 8-byte buffer using one iteration of HMAC-SHA1 with the base32-decoded starting seed as the key [7].<\/p>\n<p>E. Extract the last byte of the 160-bit HMAC-SHA1 digest (byte 20 of 20), and then take its bottom four bits (the remainder when divided by 16) to get a number X between 0 and 15 inclusive [8].<\/p>\n<p>F. Extract bytes X+1,X+2,X+3,X+4 from the hash, i.e. 32 bits drawn anywhere from the first four bytes (1..4) to the last-four-but-one bytes (16..19) [13].<\/p>\n<p>G. Convert to a 32-bit big-endian unsigned integer and zero out the most significant bit, so it works cleanly whether it\u2019s later treated as signed or unsigned [13].<\/p>\n<p>H. Take the last 6 decimal digits of that integer (calculate the remainder when divided by a million) and print it out with leading zeros to get the TOTP code [17].<\/p>\n<p>In other words, the starting seed for any account, or the secret as you can see it labelled in @mysk_co\u2019s tweet above, is quite literally the key to producing every TOTP code you will ever need for that account.<\/p>\n<h2>Codes are for using, seeds are for securing<\/h2>\n<p>There are three reasons why you only ever type in those weirdly-computed six-digit codes when you you login, and never use (or even need to see) the seed again directly:<\/p>\n<ul>\n<li><strong>You can\u2019t work backwards from any of the codes to the key used to generate them.<\/strong> So intercepting TOTP codes, even in large numbers, doesn\u2019t help you to reverse-engineer your way to any past or future logon codes.\n<\/li>\n<li><strong>You can\u2019t work forwards from the current code to the next one in sequence.<\/strong> Each code is computed independently, based on the seed, so intercepting a code today won\u2019t help you logon in the future. The codes therefore act as one-time passwords.\n<\/li>\n<li><strong>You never need to type the seed itself into a web page or password form.<\/strong> On a modern mobile phone, it can therefore be saved exactly once into the secure storage chip (sometimes called an <em>enclave<\/em>) on the device, where an attacker who steals your phone when it\u2019s locked or turned off can\u2019t extract it.\n<\/li>\n<\/ul>\n<p>Simply put, a generated code is safe for one-time use, because the seed can\u2019t be wrangled backwards from the code.<\/p>\n<p>But the seed must be kept secret forever, because any code, from the start of 1970 until long after the likely heat death of the universe (2<sup>63<\/sup> seconds into the future, or about 0.3 trillion years), can be generated almost instantly from the seed.<\/p>\n<p>Of course, the service you\u2019re logging into needs a copy of your seed in order to verify that that you\u2019ve supplied a code that matches the time at which you\u2019re trying to log on.<\/p>\n<p>So you need to <strong>trust the servers at the other end<\/strong> to take extra care to keep your seeds secure, even (or perhaps especially) if the service gets breached.<\/p>\n<p>You also need to <strong>trust the application you\u2019re using at your end<\/strong> never to reveal your seeds.<\/p>\n<p>That means <strong>not displaying those seeds<\/strong> to anyone (a properly-coded app won\u2019t even show the seed to you after you\u2019ve entered it or scanned it in, because you simply don\u2019t need to see it again), <strong>not releasing seeds<\/strong> to to any other apps, <strong>not writing them out<\/strong> to log files, adding them to backups or including them in debug output\u2026<\/p>\n<p>\u2026and very, very definitely <strong>never transmitting any of your seeds over the network<\/strong>.<\/p>\n<p>In fact, an app that uploads your seeds to a server anywhere in the wirld is either so incompetent that you should stop using it immediately, or so untrustworthy that you should treat it as cybercriminal malware.<\/p>\n<h2>What to do?<\/h2>\n<p>If you\u2019ve grabbed an authenticator app recently, especially if you did it in a hurry as a result of Twitter\u2019s recent announcement, <strong>review your choice<\/strong> in the light of what you now know.<\/p>\n<p>If you were forced into paying a subscription for it; if the app is littered with ads; if the app comes with larger-than-life marketing and glowing reviews yet comes from a company you\u2019ve never heard of; or if you\u2019re simply having second thoughts, and something doesn\u2019t feel right about it\u2026<\/p>\n<p>\u2026consider switching to a mainstream app that your IT team has already approved, or that someone technical, whom you know and trust, can vouch for.<\/p>\n<p>As mentioned above, Apple has a built-in 2FA code generator in <em>Settings<\/em> &gt; <em>Passwords<\/em>, and Google has its own <em>Google Authenticator<\/em> app in the Play Store.<\/p>\n<p>Your favourite security vendor probably has a free, no-ads, no-excitement code generator app that you can use, too. (Sophos has a <a href=\"https:\/\/apps.apple.com\/us\/app\/sophos-authenticator\/id864224575\" rel=\"nofollow\">standalone authenticator<\/a> for iOS, and an authenticator component in the free Sophos Intercept X for Mobile app on both <a href=\"https:\/\/apps.apple.com\/us\/app\/sophos-intercept-x-for-mobile\/id1086924662\" rel=\"nofollow\">iOS<\/a> and <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.sophos.smsec\" rel=\"nofollow~\">Android<\/a>.)<\/p>\n<p>If you do decide to switch authenticator app because you\u2019re not sure about the one you\u2019ve got, be sure to <strong>reset all the 2FA seeds<\/strong> for all the accounts you\u2019ve entrusted to it.<\/p>\n<p>(In fact, if the old app has an option to export your seeds so you can read them into a new app, you now know not only that you shouldn\u2019t use that feature, but also that your decision to switch apps was a good one!)<\/p>\n<hr>\n<p><strong>QUANTIFYING THE RISK FOR YOURSELF<\/strong><\/p>\n<p>The risk of leaving your account protected by a 2FA seed that you think someone else might already know (or be able to figure out) is obvious.<\/p>\n<p>You can prove this to yourself by using the TOTP algorithm we presented earlier, and feeding in [A] the \u201csecret\u201d string from Tommy Mysk\u2019s <a href=\"https:\/\/twitter.com\/mysk_co\/status\/1629573752538243073\" rel=\"nofollow\">tweet<\/a> above and [B] the time he took the screenshot, which was 7:36pm Central European time on 2023-02-25, one hour ahead of UTC (<em>Zulu time<\/em>, denoted <code>Z<\/code> in the timestamp below).<\/p>\n<pre>\nThe stolen seed is: 6QYW4P6KWALGCUWM\nZulu time was: 2023-02-25T18:36:00Z\nWhich is: 1,677,350,160 seconds into the Unix epoch\n<\/pre>\n<p><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/wordpress-1016567-4521551.cloudwaysapps.com\/wp-content\/uploads\/2023\/02\/beware-rogue-2fa-apps-in-app-store-and-google-play-dont-get-hacked-1.png\" alt width=\"768\" height=\"271\" class=\"aligncenter size-full wp-image-855317\"><\/p>\n<p>As you might expect, and as you can match up with the images in tweet above, the code produces the following output:<\/p>\n<pre>\n$ luax totp-mysk.lua Tommy Mysk's code was: 660680\n<\/pre>\n<p>As the famous videogame meme might put it: <em>All his TOTP code are belong to us.<\/em><\/p>\n<hr>\n<ul class=\"plato-post-bottom-links\">\n<li class=\"plato-post-bottom-link-amplifi\">SEO Powered Content &amp; PR Distribution. <a href=\"https:\/\/www.amplifipr.com\" target=\"_blank\" rel=\"noopener\">Get Amplified Today.<\/a><\/li>\n<li class=\"plato-post-bottom-link-platoblockchain\">Platoblockchain. Web3 Metaverse Intelligence. Knowledge Amplified. <a href=\"https:\/\/platoblockchain.com\" target=\"_blank\" rel=\"noopener\">Access Here.<\/a><\/li>\n<li class=\"plato-post-bottom-link-source\"><span>Source:<\/span> <a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/02\/27\/beware-rogue-2fa-apps-in-app-store-and-google-play-dont-get-hacked\/\" target=\"_blank\" rel=\"noopener\">https:\/\/nakedsecurity.sophos.com\/2023\/02\/27\/beware-rogue-2fa-apps-in-app-store-and-google-play-dont-get-hacked\/<\/a><\/li>\n<\/ul>\n","protected":false},"author":1,"featured_media":1981749,"template":"Default","meta":{"_eb_attr":"","type":"","auto_type":false,"post":"","stream":"","stream_url":"","waveform_data":[],"duration":0,"start":0,"end":0,"bpm":0,"downloadable":false,"download_url":"","purchase_title":"","purchase_url":"","post-count-all":0,"like_count":0,"download_count":0,"editor_note":"","copyright":"","captions":[],"sources":[]},"genre":[41879],"station_tag":[21579,7042,3629,13775,31352,9160,40105,5591,40388,4263,28442,9993,8975,5602,3942,39947,4398,39830,12627,4339,3761,9181,9161,4046,18340,4721,3820,11468,9721,3821,9271,40681,5105,4047,23525,4291,3718,4135,4554,40046,5128,15917,6042,30993,41566,13212,12619,14207,12341,13655,33720,11509,4591,27831,35808,4294,24385,36133,12356,41392,40004,10228,4053,40005,3635,47685,3886,24510,40682,9239,4868,10957,4648,20308,12447,40290,5198,4147,26869,4911,4556,4609,3720,31485,11364,3889,3830,5619,13213,40028,10315,17718,19997,4058,23385,39952,12464,11290,10541,3724,16546,4897,4156,38900,3691,12468,14052,40305,12202,12750,14273,3896,9092,3834,9163,20729,4001,11467,37581,8665,47953,40182,9164,39854,22089,44573,14017,40053,13295,5685,40031,3899,40054,10523,41881,30068,9165,4864,39858,39955,47295,9706,13837,9166,10521,20629,24487,32236,12064,40313,40638,26960,19270,14311,3729,4865,4382,42709,4346,40057,4175,18806,30994,47141,7942,47687,3772,9874,11011,4177,9228,11625,4742,4978,40058,13776,4178,3950,11489,9007,14115,40413,11294,10952,40035,34012,10469,19651,9167,4491,3647,7319,6211,40765,13102,48062,4425,40876,4493,9418,12556,10511,9238,18475,4710,5956,22250,3694,3650,40322,3907,4186,13353,13698,9365,17468,19265,9886,3953,21009,12191,3908,18162,11192,40062,11455,4729,4277,3653,39861,10841,4537,13752,4196,3805,4197,13648,9569,3806,27164,3734,26538,3735,10786,40039,21829,3654,15462,4659,11472,457,9705,3851,39894,9169,11365,3958,5026,10033,39875,18338,4451,4092,34144,12349,28755,4011,8690,11767,14101,40145,12343,3741,13691,3961,3962,5632,18074,3705,10997,9483,3706,15664,23391,4095,39917,44248,12636,12213,20482,19689,14094,11060,10785,4748,13360,41356,4096,460,40065,17454,3963,5264,4388,3662,40662,3663,11453,12344,4984,26064,5490,23402,41139,3965,40067,3966,40598,9230,24867,7457,8453,9642,8570,5124,4428,11805,14292,5115,39988,3665,18347,40098,9231,9221,9247,11502,4214,8335,17533,9054,13656,17354,6991,10510,37029,4108,4622,4216,11057,15551,15116,11198,4480,10274,13774,12622,40334,10966,4260,39868,30479,5047,4113,4503,13653,14276,462,20599,3811,14046,15409,11682,21853,10034,4220,44887,5588,4459,5409,40178,40074,30762,3778,9768,3976,12941,5599,4483,39869,14209,20806,9361,40228,9232,4461,40082,12444,40208,7048,3779,4282,12072,11458,9173,9174,13853,40188,5126,3714,3668,24661,41594,4031,20922,39884,4901,4032,4414,39843,41298,40246,40283,46312,16360,5033,40427,4124,39844,11996,10092,4126,13215,43573,39845,39871,11938,14803,13569,3671,22441,19267,9409,4036,22249,3750,33264,4286,11806,10035,5035,14821,40077,4037,20557,21825,3675,21681,48292,466,13707,12836,35208,21855,3984,10367,30318,3755,8854,13097,3781,13149,11955,39873,4484,18130,4590,5295,3815,23678,10685,39944,9178,9838,36520,3941,27168,40080,3816,9089,4757,3935,4240,11461,467,4927,3717,3937,13217,40472,14555,4668],"artist":[15727],"mood":[],"activity":[],"_links":{"self":[{"href":"https:\/\/platodata.io\/wp-json\/wp\/v2\/station\/1981748"}],"collection":[{"href":"https:\/\/platodata.io\/wp-json\/wp\/v2\/station"}],"about":[{"href":"https:\/\/platodata.io\/wp-json\/wp\/v2\/types\/station"}],"author":[{"embeddable":true,"href":"https:\/\/platodata.io\/wp-json\/wp\/v2\/users\/1"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/platodata.io\/wp-json\/wp\/v2\/media\/1981749"}],"wp:attachment":[{"href":"https:\/\/platodata.io\/wp-json\/wp\/v2\/media?parent=1981748"}],"wp:term":[{"taxonomy":"genre","embeddable":true,"href":"https:\/\/platodata.io\/wp-json\/wp\/v2\/genre?post=1981748"},{"taxonomy":"station_tag","embeddable":true,"href":"https:\/\/platodata.io\/wp-json\/wp\/v2\/station_tag?post=1981748"},{"taxonomy":"artist","embeddable":true,"href":"https:\/\/platodata.io\/wp-json\/wp\/v2\/artist?post=1981748"},{"taxonomy":"mood","embeddable":true,"href":"https:\/\/platodata.io\/wp-json\/wp\/v2\/mood?post=1981748"},{"taxonomy":"activity","embeddable":true,"href":"https:\/\/platodata.io\/wp-json\/wp\/v2\/activity?post=1981748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}