Spotify Fixes Security Hole that Allowed Free Song Downloads

One of the largest online music streaming services was briefly singing a different tune after learning a new Google Chrome plug-in allowed users to download copies of songs for free.

One of the largest online music streaming services was briefly singing a different tune after learning a new Google Chrome plug-in allowed users to download copies of songs for free.

Google this week pulled from its Chrome Web Store the browser extension known as Downloadify, which exploited a vulnerability in Spotify’s web player to allow a user to download a DRM-free, MP3 backup of a song as it started playing.

“It is effectively stealing,” Sheena Sheikh, an intellectual property attorney told the BBC. “You are committing an infringement. You’re not authorised to download the songs. You don’t have permission.”

Although Google removed the extension from its Chrome store, it might still be circulating on other sites. The Dutch developer also published the code on GitHub, according to CNET. He reportedly took advantage of a flaw in the Spotify Web client that lacked encryption — unlike the desktop and mobile versions. He also told a reporter at The Verge he did not plan to update the program and believed Spotify had taken steps to boost its security.

Spotify currently has about 6 million subscribers and is second only to Apple as a digital revenue source for major music recording companies.

Suggested articles

Firefox 38 Fixes 13 Flaws, Ships With DRM Support

Mozilla has fixed 13 security flaws in Firefox 38, including five critical vulnerabilities. The new version of the browser also includes a feature that enables the use of DRM-enabled video content in Firefox, a decision that comes with some controversy. DRM (digital rights management), the generic name for technologies that are used to restrict the […]

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.