Despotify (as disclosed earlier in this post) was responsible for hacking Spotify which was announced yesterday. The group behind Despotify did not attack any databases but figured out how to communicate with the Spotify servers. Doing so, they were able to request user information and consequently brake passwords.
Picture from Flickr
“We do of course not appreciate when people are trying to hack Spotify” says Sptoify’s CEO Daniel Ek. “We interpret Despotify as a wish of making Spotify more open to developers to build things on top of Spotify. The developers are writing software for Spotify is for sure something we incourage and we will work hard to provide an API” continues Daniel to IDG.se.
I have some comments:
1. An API has been requested since the beta trial, this shows it is high time to get it out.
2. Why was the breach announcement postponed until now?
3. Celebrate Despotify for a successful reverse engineering, it takes a lot of skills.
4. Always use separe passwords for every site. Manage passwords using a software, for instance KeePass.
Please share your thoughts in the comments to this post.
Quick note on point 3. Reverse engineering Spotify surely took a lot of skill, but so does hacking into say a bank, and I don’t encourage that anyway.
Also, I just “love” the following quote from despotify’s page: “We don’t want to be held back by a company whose key priority is to make money.” Well, what other kind of companies are there? Why do they expect someone would develop the system in the first place? Not to mention reaching the deals with the music industry. Would Open Source have created Spotify? I don’t think so.
Henrik, I agree with you to some extent. What impressed me was the achievement and I guess I would be impressed if someone hacked into a bank as well.
Agree their comment is wicked. But, the good aspect is that it highlights ambition to Spotify and hopefully speeds up the legal API development. Frankly, I am getting quite annoyed it is taking so long time..
Good point, there’s a difference between being impressed by something and encouraging it. So, I agree, their reverse engineering is impressive although not something I’d encourage.
Possibly it’ll speed up API development. But given that their reverse engineering causes Spotify to have to send a “passwords compromised” letter to 1 million customers and potentially lowering the record industry’s confidence in Spotify, I’d have to say that it’s a net loss.
What’s more interesting is, if despotify had not emerged in the first place, would Spotify have notified its users about the excess of information problem they fixed in December?
The despotify team just showed off they did indeed find a problem. Others might have found the same issue but, unlike despotify, never gone public with it.
Judging from the fact that Spotify did not react until they had no choice we could all have been left in the dark with this issue.
Malice, you post interesting ideas.
No I do not think they would notify the users about the information problem. If nobody knows, why be transparent about it?
Do you know if there has been an open communication with Spotify during a longer period of time and what such communication might contain?
Couldn’t help myself, a Spotify song to say thanks for your comment, “A towned called Malice” http://open.spotify.com/track/1KP1j8sCQADCc8eXrtAUP6
On the other hand, if Despotify hadn’t exploited the bug, there would have been no security breach to report (assuming Despotify were the only ones to access). Or do you think they should report a bug which they had fixed and which was never exploited? I don’t see how that would make sense.
“If nobody knows, why be transparent about it” is a dangerous game and this round was obviously not to Spotify’s advantage.
Imagine a store transmitting creditcard details after customer payments over an unencrypted wireles network. They’ve been doing this for the last six months but during a security audit someone points out it’s stupid and fixes the issue.
Just like in the case with Spotify, there’s really no way of knowing if anyone actually did take advantage of the problem, which basically leaves them with two options.
One is to immediately call their payment uplink and let them know they fucked up bad. The other one is of course to keep quiet and hope nobody ever noticed.
Given the fact that you’re unable to verify that nobody but the intended recipient saw the data, the only sane thing to do here is to go with option number one and assume the worst.
Spotify went on with option number two and assumed that nobody have noticed. Or at least they figured as long as nobody knows about it, there really is no gain in letting people know since, after all, it’s bad PR.
Until just last week their non-action prevented those affected of the breach to take meassurements to protect themselves or to do proper damage control. For example changing passwords (if they used the same elsewhere) or thinking about what sensitive data that theoretically could have been compromised because they used the same password on Spotify as on their email, intranet or anything else that could be interesting to a malicious third party.
In cases like these it’s always best to be upfront with what happened, as soon as you’re aware of the fact. There are simply no excuses for not doing it.
Sure, there is no doubt it’s going to be bad PR but in Spotify’s case, despite being transparent about it last week, it still looks bad because they kept their users in the dark for a good two months.
I believe we are making different assumptions. As far as I understand, Spotify *does* know whether or not the bug has been exploited. After all, exploiting it means accessing their servers, which I assume they are logging (or how would they have noticed Despotify?). So what I am saying is that I see no real value (for either Spotify or the customer) to know about a security vulnerability which was provably (my assumption here) never exploited.
Hi,
No Spotify would not know of another group reverse engineering the protocol as there is no way to see who is a genuine client and who is just fetching userInfos.
The “Hack” was that despotify, after hooking into the XML parser found that when you load a community playlist then the client will issue a command for fetching userInfo from the server, this infoblob contained username, password-hash and adress and some credit card info (4 last digits).
So you could inject into the XML-parser, find alot of community playlists and just gather accounts with a debugger. without even reverse engineering the protocol at all!
As far as I know, there have been no indications Spotify ever knew about despotify before it was released.
The GetUserdata request (which was the source of the information leak) is done each time you log into Spotify aswell as when you add someone’s playlist, something the released source code for despotify also points out.
Frankly, it would be insane to log all this data. And even if they did have a perfect audit trail of all those request, as well as a complete log over what shared playlists a particular user was subscribed to at any given time, it would require lots of work to cross reference all this data to find out who asked for information about a user despite not being subscribed to that user’s shared playlist.
And as @krs pointed out, it was still possible for those that hooked into the Spotify client’s XML-parser (or just monitored the Spotify client’s memory) to find out about all the juicy details, even for the legitimate GetUserdata requests that occurs during normal operations.
To me it’s clear Spotify had no way of knowing who could possible have had access to all the juicy details the server responded with, and that’s why they should have considered all data as compromised.
And regarding their first fix in December, that just removed the most incriminating details such as the password hash. They kept sending out email addresses, postal code and a bunch of other details until the day despotify was released, as is demonstrated in the despotify video on YouTube.
Claiming that you assumed nobody knew about the excessive amount of information transfered in response to those requests because the network protocol was encrypted or assuming nobody knew because _you_ haven’t heard of anyone taking advantage of it, is just a recipe to make you look stupid.
I stand by the fact that they should’ve let their user base know about the issue back in December.
Please, be sincere about this and make a professional statement about the mistakes you have done jeopardizing the integrity of hundred thousands of users.
With a successful service there comes responsibility.
Show some back bone and dont blame Despotify for the lack of these stupid mistakes.
@krs, @Malice, I stand corrected. As much as I would want to, I don’t have enough time to get into the details regarding (de)spotify. Therefore, I based my assumption on the information of this blog post. But I agree, given the nature of the vulnerability, it is only reasonable to consider all data compromised.
That said, it still doesn’t justify despotify IMHO. Releasing a client which uses Spotify’s infrastructure without giving Spotify any income* or even an ability to follow the contracts they’ve signed (geographical restrictions) just leaves a bad taste in my mouth. It’s not the way to show appreciation to a great program.
*) Just to avoid one unnecessary comment trail, please don’t answer “Spotify will make money as everybody has the option to pay for a subscription”. It’s as likely to work in the long run as a “if you like this movie, consider donating $15 to the copyright owner” button on The Pirate Bay. ;-P