Announcements
The Spotify Stars Program: Celebrating Values Week!

Help Wizard

Step 1

NEXT STEP

Dangerous bug: complete access to account without Email + Password

Dangerous bug: complete access to account without Email + Password

Plan

Premium

Country

Germany

Device

iPhone 11

Operating System

newest

 

My Question or Issue

I sent a song request via link to a friend of mine. He has no Spotify and was directly sent to the App Store after clicking on the link. After installing Spotify he instantly got access to my account. He was able to see my profile pic, to control the music on all devices that had Spotify open, basically he could do everything with my account. I assure you that either his phone or him was ever connected with my account. I guess this should not happen

Reply
21 Replies

Hey there @KimioN.

Welcome to the Community, Rest assured Spotify takes Security extremely seriously and has a dedicated team and safeguards in place which you can learn more about here.

 

Could you let me know a bit more information so I can try and replicate and pass it across to the right folks if required. With regards to 'song request via link', could you let me know what this link was or how you obtained this and then also were you both on the same network? Alongside this could you let me know what devices your both using and if used any devices you were streaming to such as an Echo or Sonos.

 

Keep Well,

 

Hello @EthanS1

 

thanks for your replay! The following happened in detail:

 

I'm using an iPhone 11, my friend uses the new iPhone SE.

 

I sent him the following link (share a song via Spotify): https://open.spotify.com/track/1QHzf28GKB4xblsVPS6LPs?si=GjToqynlQgi_Szx90lJL0A

 

At this moment my friend just finished setting up his new iPhone and hadn't installed Spotify yet. He clicked on the link what leaded him directly to the AppStore. He then downloaded Spotify, opened it afterwards and had directly access to my account. He hadn't even been asked for an email and password. He was as surprised as me. It was quite funny actually because he could control all my Spotify devices like amazon Alexa but i know that this is something that definitely shouldn't happen. 

 

To your other questions: we were not using the same network. My Spotify account is connected with an Echo dot.

 

I hope you can reproduce this bug with this information, I'm looking forward to your answer!

 

Kimio

Hey there @KimioN!

Thanks for your speed reply! It sounds like he was using Spotify Connect which as long as your connected to the same network or near one of these devices in WiFi/Bluetooth range you can do and is a feature by Spotify. Read more here

 

This video explains it rather quickly too:

 

However I'm going to try replicating this just to confirm it is Spotify Connect, stay tuned.

As mentioned, we werde definitely not using the same network. What happened was not the Spotify connect feature but he was logged into my account as if he entered my email and password. I later got an email from Spotify that someone logged into my account. 

I'm using Spotify such a long time and I think that this was not the sense of sharing a song.

 

Thanks for investigating!

I've trying to replicate this with a few of my fellow Community Stars.

 

I'm being prompted to login and I have no way around this and no access to any account. I have even tried the link above and followed the steps you've mentioned without having the Spotify App and installing it like you said. Could you also confirm what features of your account you think he had 'access to without login' was it just song control? 

 

Also, with the email how long after was this sent to you and if possible could you screenshot and send this in the thread? @KimioN 

Definitely not.

By the way: he didn't set up his iPhone with a backup so it was on factory settings. 

We also tried to replicate the error without success. I'm also thinking to myself how such a simple procedure can lead to such an error... 

Also, with the email how long after was this sent to you and if possible could you screenshot and send this in the thread? @KimioN.

 

Was it a message like this in-app? 

Screenshot 2020-05-01 at 15.57.01.png

 

Of course my friend was using Spotify Connect when he controlled my devices. But he was able to do so because he suddenl had complete access to my account. Just by clicking on the link of the shared song. The mail from Spotify came 2 hours later. 

 

I know this sounds strange. I assure you, this is not an mistake of myself, I finishing my master in electrical engineering at the moment and know quite well which procedures should or shouldn't happen in technical issues like this one..

 

 

Hey!
No worries I understand you know your stuff but I ask as it's just helping us rule out different factors which could have caused this as the teams that we'd refer this to at Spotify would want us to rule anything that could be expected behavior.
Could you screenshot that email at all and upload it in this thread?

KimioN_0-1588345815527.png

 This is the mail from Spotify, it is in German, I'm sorry 😕

 

No worries, it's completely fine. Does the time in that email match roughly the time you sent your friend the link?

No, my friend called me exactly at 14:47 to tell me that he was logged into my account. The email came at 16:47 as you can see in it. 

 

I know how strange it sounds, I hope there is any way to replicate the error, thank you for your quick answers and your help

No worries, I'm currently attempting to get some others to replicate this in the meantime with various devices however we've had no luck so far. Rest assured, I'll keep you up to date with any developments I get from this. The link you provided previously was that the same one you sent?

Thanks,

Thank you! And yes, the link I sent was the same link I sent to my friend yesterday

Have you ever logged in to  Spotify using your friends devices before (even if not the SE) - such as any Apple Device, he owns? 

 

Thanks,

I thought about the same. I have not. Plus, the phone was on factory settings an set up the same day. It has never had Spotify installed at that moment. No backup was installed either.

 

I never shared my account to any device also. He never had access to my account 

Apple has a way of storing passwords based on your Apple ID, doesn't matter if the device is factory reset as they are re-added when you login to a Apple application such as the App Store or the setup process when starting a new phone these logins are stored in the cloud.

 

Could you ask your friend to launch Siri and say 'Hey Siri, show my passwords'. Apple will then trigger for your Face ID/Passcode.

 

Scroll to the 'S' section. Find the Spotify logo and then click on the tab, can you ask him if it displays your email/username?

Let me know.

 

IMG_9355.PNG

I did exactly what you said, my Spotify user data was not stored there.. the next days I’m going to try to replicate the error with a brand new iPhone. This would be the last test that comes to my mind

Let us know how you get on.

Just thought I’d let you know and hopefully this can reassure you, Spotify doesn’t share any account info when you share a link for any type of content.

 

Myself when tweeting from @AskRockStars (I personally use my own Spotify to share tracks to users and I’ve have no behaviour like this) and also my pals @SpotifyCares and Spotify’s other social handles generate links the same as you and there’s 100,000’s of these shared on Social Media and through many platforms daily and I’ve never personally seen this before nor has any of the other Rock Stars I have queried and attempted to replicate this who are  on the Community nor have found any similar complaints on the Community however rest assured I’m still trying actively to see if there’s anything else which could have caused this & I’m trying to see if we can replicate this but I’ve had no success however would be keen to know how you get on.

 

I'll be standing by.

Suggested posts