Announcements

Help Wizard

Step 1

NEXT STEP

FAQs

Please see below the most popular frequently asked questions.

Loading article...

Loading faqs...

VIEW ALL

Ongoing Issues

Please see below the current ongoing issues which are under investigation.

Loading issue...

Loading ongoing issues...

VIEW ALL

Potential Security Flaw In Spotify Connect

Potential Security Flaw In Spotify Connect

Avatar of bishoptim453
Casual Listener
2024-06-26 01:42 PM

 

My Question or Issue

 

I found some interesting and hopefully unintended behaviour with unknown users outside my network able to play music on my home speakers.

I was at work, connected to my work wifi network, when my wife contacted me from home, asking me to stop playing loud drum and base on the speaker in our bedroom, as it was waking our baby up.

I was very confused as I was not even listening to music at the time - let alone playing it from speakers at my home.

I was eventually contacted by someone in my office, apologising for accidently playing music on the wrong speaker - as they had been trying to connect to a speaker in the office.

This person has never been connected to my home network (my house is 2 hours from the office), yet they and a number of other colleagues that I had never met had all been able to connect to my home speaker, select music, and turn the volume up (they put it to max before realizing they had the wrong speaker).

 

All users were connected to the same work network that I was connected to.

 

I suspect this was able to happen because at the time, I had Tailscale running, using a NAS on my home network as an exit node.

 

Surely it is not the intended behaviour for devices to be accessible to unknown users when not all connected to that users home network directly?

 

Labels:
0 Likes
Reply
4 Replies

Avatar of Luan
Spotify Star
Spotify Star
2024-06-27 04:24 PM

Hi, @bishoptim453 
Welcome to the Spotify Community, and thanks for reaching out to us!

First of all, Spotify doesn’t recommend the usage of a VPN because it can affect the expected behavior of the app, including the Spotify Connect.

In your case, considering what you said, it’s probably the reason why you’re experiencing this issue. On Spotify Connect, anyone who is inside the same network can see and “control” speakers to play content on Spotify. If you’re sharing your personal network using a VPN, this may happen constantly.

 

Stay awesome!

If you have further questions or if you need anything else, let me know! I'd love to help!

Regards,
Luan

 

LuanSpotify Star
Help others find this answer and click "Accept as Solution".
If you appreciate my answer, maybe give me a Like.
Note: I'm not a Spotify employee.
0 Likes

Avatar of bishoptim453
Casual Listener
2024-06-27 11:02 PM

Hi @Luan

 

Thanks for your response.

 

I just want to be really clear on this to make sure I dont give the wrong impression of the setup.

 

I had a VPN client enabled on my mobile, while connected to the Work network. I wasnt even using the spotify app on my device at the time and I wasnt sharing my devices network with hot spotting or anything.

 

The users who could access my home speakers had never accessed my home network and we were not linked in any way in the spotify app, other than both being connected to the work network (a few of them I had never even met before).

 

So are you saying, that from your understanding of the connect feature, this is the expected behaviour?

If I am using a VPN to connect to my home network while connected to external WiFi - all other users of that wifi will have full control over all speakers within my home network?

 

Does this not seem like a pretty major vulnerability that this feature cannot determine that a user is not actually connected/never has been connected to.my home network?

 

0 Likes

Avatar of MihailY
Moderator
Moderator
2024-06-28 12:02 PM

Hey @bishoptim453,

 

Thanks for your reply and the clarification.

 

The Spotify Connect devices are announcing themselves via mDNS protocol on the local network. To check whether your VPN setup relays this traffic to the office network you and your colleagues can install a bonjour/mDNS browser on the phones/laptops that had access to the speaker. 

 

If the speaker (and other local devices e.g. Google Cast) show up while using the mDNS/bonjour browser it means the VPN configuration is broadcasting local traffic from the home to the office network. 

 

Can you try this and let us know how you get on?

MihailYModerator
Help others find this answer and click "Accept as Solution".
If you appreciate an answer, maybe give it a Like.
Are you new to the Community? Take a moment to introduce yourself!
0 Likes

Avatar of bishoptim453
Casual Listener
2024-07-04 11:11 PM

Hi @MihailY 

Thanks for this suggestion - I will give it a try this weekend and update some results here

 

Thanks

Suggested posts

Let's introduce ourselves!

Hey there you,   Yeah, you! 😁   Welcome - we're glad you joined the Spotify Community!   While you here, let's have a fun game and get…

Staff
ModeratorStaff / Moderator/ 3 years ago in Social & Random
Read more