google

Tuesday, March 10, 2009

The True Story Behind The Spotify Incident - itproportal.com

The Spotify incident, which saw the site's password hashes compromised, hides more than meets the eye and has a lot to do with a little known Open source application called Despotify.

Despotify is a nifty little open source software client for online music service Spotify and aims to provide "tools to allow third parties to develop new and cool services that make use of Spotify's platform and services."

It has later emerged that the unknown group to which Spotify refers to in the two blog posts announcing the security issue was Swedish "hacking" group behind the Despotify team. Note that at no time, Spotify uses the word "hacker" or "criminal".

Members of the Despotify group are anonymous but claim to be a "group of Swedish computer science researchers, security professionals and geeks who believe strongly in the right to tinker with technology."

Prior to the security "breach", Spotify and Despotify have had a number of exchanges leading to Spotify to block Despotify users using free accounts although those on Premium accounts could use it. Despotify agreed that it will NOT "circumvent this block, nor accept any patches circumventing it".

Despotify points to the fact that most news sites reporting the incident did not even comprehend what really happened although Spotify's blog posts did provide with ample information. Even the BBC at some point mentioned that the "hackers" had stolen user data.

The Despotify team explained in details on their website what really happened and concluded that there is still a risk that others could have found the apparently gaping architectural flaw that existed in Spotify's own client.

In their own words, "We realized that the password hash that was transferred to the client when you added someone else's playlist, could be used as a way of authenticating to the server as the owner of the playlist, without knowing his or her password. That was bad."

There is no doubt that the press in general has done a pretty lousy job about covering despotify. To date (and according to Google), one tech magazine based in Sweden (Computer Sweden), has published an article mentioning despotify. The rest, including some of the biggest name in news writing, did not even bother finding out more.

And they need not have searched far as Despotify was mentioned in the first response to the first post published by Spotify on the 4th of April. A poster called Rylin rightly pointed to the fact that "there’s been no update on when there’s a official Spotify API coming out, despotify is currently the best option of integrating with a HTPC."

If Despotify was guilty of anything, it was not done by malice. They found a mistake in Spotify's armour and use it. They did not "steal" anything and had no intention of doing it. As such, this is a victimless "crime". However, by failing to report it, they did put the security of others at risk.

No comments: