Announcements
The Spotify Stars Program: Celebrating Values Week!

Help Wizard

Step 1

NEXT STEP

[Security hole] Remote control devices on other networks through Spotify Connect

Solved!

[Security hole] Remote control devices on other networks through Spotify Connect

Hello community

 

This is a serious security hole I've found on my Spotify Connect. If you have connected your Spotify to other devices, and now I'm able to control and connect that device even though I'm on an another network and on a far distance from the device. 

 

The below image shows that I'm able to connect to device below the one I'm currently listening at. The other device belongs to a relative on a complete other location and network. Also confirmed that I could start the other device, that was on standby mode.

 

Screen Shot 2018-09-30 at 09.38.56.png

 

Running Spotify 1.0.89.313.g34a58dea

 

Thanks in advance!

/ Daniel

Reply

Accepted Solutions
Marked as solution


- So you are telling me that this is as designed, even though I'm currently on a complete different location and network from the device?

Yes, that is correct. Spotify Connect is designed to work on either local wifi or across the Internet.

 

Since you were indeed connected on that device through WiFi earlier and you don’t have access to it, you can ask the owner of the device to make sure you are logged out.

Spotify takes security very seriously. If you are still concerned, you can also sign out remotely from your account page and for extra safety change your password.

Once you have been logged out you can't connect to the device again unless you connect to the same wifi network.

 

I hope this makes things more clear.

If you still have some questions I will be happy to answer.

 

View solution in original post

5 Replies

Hi @hizmano

Spotify Connect works across the internet, you don't need to be on the same network as the device. The reason you can see and control this device is that your profile is still logged in to it. You can use the option to Log out everywhere and it should disappear from your devices.

Hope this helps, if you have more questions feel free to ask.

To log out everywhere may help the situation but the fact users may be able to "hijack" other devices from other locations is for me not acceptable. The documentation at https://support.spotify.com/us/listen_everywhere/in_the_car/spotify-connect/ doesn't state this. 

 

Please advise me further if there are other documentation to read more about this

@hizmano

It's never possible to start a connection without being on the same Wifi as the device, so the same person who connects to the device must've had access to the Wifi at some point. So you can't actually remotely hijack the device unless you were locally connected to it at some point.

The connected device disconnects as soon as someone else connects their device, when you restart the device, or when it loses network connection. 

This is made like this is so that you can continue using the speaker/headphone even if you lose connection. 

Thank you for reply @

 

 

"It's never possible to start a connection without being on the same Wifi as the device, so the same person who connects to the device must've had access to the Wifi at some point."

 

- Yes, I have been connected to the WiFi and the device at a point

 

"This is made like this is so that you can continue using the speaker/headphone even if you lose connection."

 

- So you are telling me that this is as designed, even though I'm currently on a complete different location and network from the device?

Marked as solution


- So you are telling me that this is as designed, even though I'm currently on a complete different location and network from the device?

Yes, that is correct. Spotify Connect is designed to work on either local wifi or across the Internet.

 

Since you were indeed connected on that device through WiFi earlier and you don’t have access to it, you can ask the owner of the device to make sure you are logged out.

Spotify takes security very seriously. If you are still concerned, you can also sign out remotely from your account page and for extra safety change your password.

Once you have been logged out you can't connect to the device again unless you connect to the same wifi network.

 

I hope this makes things more clear.

If you still have some questions I will be happy to answer.

 

Suggested posts