Spotify Launches Web Interface, Fails To Secure Its Own Music

It’s a truth of computer security that if you want somebody to read your data, there’s always a way to exploit that way in. Sometimes it’s a tiny vulnerability. And sometimes it’s not bothering to encrypt the MP3s you’re streaming so that users can just download them for free, as they’re playing.

Guess what Spotify just did!

The exploit is so wide open that, until it got yanked, you could do it with a Chrome extension called Downloadify. As the developer so concisely puts it:

So spotify made a great html5 player for their service… But they forgot their encription… NICE! :)

Stil no updates from Spotify… they did fix it a little so this plugin does not work anymore unless you modify it.

The main problem is that even though the extension was quickly yanked from the Chrome store, it’s still out there in the form of a Github page, and fairly easy to download and use if you’re so inclined. Personally, we would not recommend stealing music. Musicians need to pay rent, otherwise they can’t keep playing music.

But it does raise some uncomfortable questions for Spotify, especially considering what a glaring error this problem actually is. And considering it’s currently negotiating rates with several major labels.