despotify

Criticism

Spotify recently notified its users about a possible information leak (updated).

An unknown group, who was later identified in an interview with Spotify’s CEO as being the despotify team, could have compromised the security and privacy of individual user accounts.

Several news sites wrote articles about the incident, most of them not comprehending what really happened despite Spotify’s detailed blog posts on the matter. UK The Guardian initially named us computer criminals and many Swedish news sites falsely reported that someone had broken into Spotify and had stolen a lot of passwords and details about their users (Swedish:here, here, and here). That’s not what happened.

So what really happened?

While auditing Spotify’s software back in November 2008 we monitored data the Spotify client exchanged with the server and things it processed internally.

It turned out that whenever you added someone else’s shared playlist, the Spotify client software would request information from Spotify’s servers about the author of that playlist.
The information returned contained things like a hash (based on a salt and the user’s password), date of birth, city and other things that Spotify knew about this user.

We realized that the password hash that was transfered to the client when you added someone else’s playlist, could be used as a way of autenticating to the server as the owner of the playlist, without knowing his or her password. That was bad.

A few days before Spotify finally stopped relaying the password hash (and some other unnecessary information) we realized that this hash actually was a SHA-1 hash over a 10 character salt, a space character, and the user’s password.
Since we by this time both knew the resulting hash value and part of the message that was hashed (i.e, salt and the space character), we now had everything we needed to successfullybrute force the original password.

During the 18th of December 2008, Spotify removed parts of the information that was returned to the client when it asked for a user’s details, notably the password hash.
For us, that meant that the possibility to steal a lot of password hashes now was gone.

In fact, we were left with previously requested information (stored for research purposes) for approximately 40 different users. These users were mostly people whose playlists we were listening to. Others were employees of Spotify, because we thought it would be interesting to see if, and in that case how, employee’s details differed from Joe Average’s account.

On February 17th, 2009 we released despotify, our open source Spotify client.
It still had support for requesting details about a particular user’s account, as is also shown in ourvideo introduction. This information was made up of things like the account holder’s email address, date of birth (YYYY-mm-dd), postal code and a few other not-interesting details.

Hours after making despotify public, Spotify realized the privacy issues involved and stopped leaking the above mentioned information. Shortly afterwards, we also removed support for requesting that information (it didn’t work anymore) from the despotify code in our Subversion repository.

On March 4th, 2009 Spotify posted information about these issues on their blog.

Am I at risk?

While we only got our hands on ~40 different user’s details, there’s still a risk that others also found the same issue that we did.
It’s impossible to know for sure and hence full disclosure and notifying those that could be affected is required.
In other words, Spotify has responded to this issue in an exceptionally good way.

Why did you not report this issue to Spotify?

If we would have reported this, Spotify would have understood that there was people out there actively thinkering with the internals of their software.
We simply didn’t want to risk jeopardizing the continued research we were doing by reporting the issue.

So you didn’t really hack into Spotify?

No. We did not hack into their servers and we certainly did not exploit a weakness in their web platform, as some media reports claim.

We’ve only used a feature already part of the communication protocol between the client and the server to obtain the data. Even the official client software (version 0.3.8 and before) did just this, although you could not request data for arbitrary users.

Subscribe: Entries | Comments
Premium subscription REQUIRED

Despotify requires a premium subscription for Spotify. Get a premium subscription now!
IRC and Twitter

Feel free to join us in #despotify on the EFNet IRC network. Or tweet despotify-related things using the #despotify hash tag.
If you're developing for Spotify's official client library libspotify you may want to checkout #spotify on irc.freenode.net. Please do not ask despotify related question in there.
Recent Posts
Spotify developer blog
- libspotify 0.0.3 - Now also for x86_64 January 15, 2010
  We are back after the holidays and happy to announce a new version of libspotify, now with 64 bit support. This version of the API also features support for browsing top lists. See the change log for a list of all changes. As usual, if you have any questions or feedback, just head over to the [...]
- Launching the Metadata API October 26, 2009
  Today, we are very proud to announce the birth of the Metadata API. Even though it’s completely new and still in testing stages, you should be able to use the Metadata API to search for tracks, albums and artists, much like you search in the client, but you get the result in XML format. A typical [...]
- libspotify 0.0.2 August 31, 2009
  So, as you have probably noticed, we have not published anything here for quite some time. We are truly sorry for this but we have been busy with other things. Now, with all that compiled, linked, signed and approved, we’ve managed to release a new version of libspotify. This release fixes a few bugs and [...]
Recent Comments
- benji on Open source Spotify clients and development frameworks
- User on Open source Spotify clients and development frameworks
- Simon on FAQ
- Edwin Boermsa on Source code
- Yngve on FAQ

Criticism

So what really happened?

Am I at risk?

Why did you not report this issue to Spotify?

So you didn’t really hack into Spotify?

Premium subscription REQUIRED

IRC and Twitter

Recent Posts

Spotify developer blog

Recent Comments