Spotify plugs Downloadify breach - but shouldn't have needed to do so

Online web players must instill strong and effective protections against downloading content

Spotify has responded quickly to a shut down in its service due to a breach in the company's streaming music service that allowed unlimited downloads of unencrypted music files.

The "Downloadify" extension for the Chrome browser, launched by the Dutch developer Robin Aldenhoven, took advantage of absent security in the beta release of Spotify’s web based player. Little more than a day after the tool was released, Spotify has now changed the streaming method used by the beta player and downloads are no longer possible.

Aldenhoven's tool (a short piece of javascript) identified any MP3s played in the Spotify web player and automatically downloaded these whilst being streamed. Spotify's fast network infrastructure  allowed downloads to take no more than a few seconds. A user clicked to start a stream and the entire MP3 was present in their downloads folder a few moments later. With the audio files transmitted unencrypted and accessed through a simple TCP Get command, every track present on Spotify was at risk.

As users were only required to listen briefly to each track in order to initiate a download, whole albums could be quickly grabbed from the service.  On 8 May 2013, Spotify implemented changes to their servers that stopped Downloadify accessing music. By shifting the audio stream used by the web player behind a layer of RTMP traffic, the Downloadify plugin is now unable to grab files as they stream.

Aldenhoven appears to have launched Downloadify to demonstrate the poor (or rather, almost absent) security implemented by Spotify rather than as part of any grand “music should be free crusade”. In conversation with NetNames Scrutiny* analysts, he stated that he "could not believe they [Spotify] did so little to protect their library". He explained to a Twitter user that "if [content owners] want to earn money on the internet, DRM is just part of the deal" and offered a number of suggestions on  how the exploit could be patched by Spotify. Google removed the tool from the Chrome web store shortly after Aldenhoven first added the extension, but it remains available, though no longer useful, through Github.

While it is encouraging to see such swift action from Spotify to address shortcomings in its protection mechanisms, questions will remain amongst music executives as to why the company launched a Web Player without any effective protections against downloading. The protections which have now been introduced seem to be based on obfuscating the underlying content URL and may not, or at least, not yet - involve any kind of file-based DRM which restrict playback (such as PlayReady). As such, it remains possible that an updated or forked version of Downloadify could capture the underlying unencrypted content stream, though it looks unlikely that Aldenhoven will do that himself.

Written by David Price, Director of Piracy Analysis, NetNames

21 May 2013

(Article extracted from NetNames Scrutiny Online Publication).


*Scrutiny is a highly valued digital piracy intelligence and analysis subscription service offered to specialist NetNames clients in the digital piracy industry.  To subscribe to this service, contact us here. Terms and conditions apply.