One of the largest online music streaming services was briefly singing a different tune after learning a new Google Chrome plug-in allowed users to download copies of songs for free.

Google this week pulled from its Chrome Web Store the browser extension known as Downloadify, which exploited a vulnerability in Spotify’s web player to allow a user to download a DRM-free, MP3 backup of a song as it started playing.

“It is effectively stealing,” Sheena Sheikh, an intellectual property attorney told the BBC. “You are committing an infringement. You’re not authorised to download the songs. You don’t have permission.”

Although Google removed the extension from its Chrome store, it might still be circulating on other sites. The Dutch developer also published the code on GitHub, according to CNET. He reportedly took advantage of a flaw in the Spotify Web client that lacked encryption — unlike the desktop and mobile versions. He also told a reporter at The Verge he did not plan to update the program and believed Spotify had taken steps to boost its security.

Spotify currently has about 6 million subscribers and is second only to Apple as a digital revenue source for major music recording companies.

Categories: Vulnerabilities