Spotify Connect Exploit - Spotiamb 0.2.1. - hijacks user accounts to play songs.

Solved!
Reply

Spotify Connect Exploit - Spotiamb 0.2.1. - hijacks user accounts to play songs.

colesl4w
Music Fan

Hi all,

Just wanting to draw attention to this. It appears that there is an exploit for Spotify Connect which uses the Spotiamb 0.2.1 extension to hijack user accounts and play a set list of songs. Affected users will see "Spotiamb 0.2.1" appear as an available Spotify Connect device. The result is that their account will, multiple times throughout a day at random intervals, play albums by these two artists, amongst others:

 

Dungeonsd: https://open.spotify.com/album/66xm00as0QlKB2dOE6fUpH

 

Tony Oldam: https://open.spotify.com/album/3m0eumQjUDrLyAwJmkFMpi

 

These tracks will interrupt anything the user is currently playing. 

 

Other users are experiencing the exact same behaviour

https://community.spotify.com/t5/Help-Desktop-Linux-Windows-Web/Random-unsolicited-song-hijacks-play...

 

https://community.spotify.com/t5/Help-Accounts-and-Subscriptions/Spotify-hacked-by-a-pro/m-p/1178797

 

Could a member of the Spotify team please comment on this? It is somewhat concerning that there appears to be an unaddressed explit capable of making user accounts play any tracks they wish.

 

Many thanks.

 

 

3 ACCEPTED SOLUTIONS

Accepted Solutions
Solution!

Re: Spotify Connect Exploit - Spotiamb 0.2.1. - hijacks user accounts to play songs.

Chopp
Casual Listener
yochimo135, the actions I took earlier this week has worked good for me so far.
As described above;
1. Revoke all App access
2. Logout all devices
3. Change password
4. Logout all devices

I'm not sure which action (or combination) that solves the issue, but I made them all to be sure.

I wonder how this came to happen, if it's a brute force, exploit or some kind of leak.
As far as I know, the combination of username/password I have for Spotify is unique and therefore couldn't have been leaked from some other dump.
Solution!

Re: Spotify Connect Exploit - Spotiamb 0.2.1. - hijacks user accounts to play songs.

cnnmndsspntmnt
Casual Listener

Solved.

 

I got excellent help from the Spotify support staff.

 

We went through all the motions: facebook access, revoking, etc..  All of which I'd covered on my own.

 

And then, when we finally got to the point of cutting the cord and restarting my account, a very (very) important question got asked.  "Can you login with your Spotify account?"  My huh?  I'd logged in with FB from the get-go.  "Looks like you logged in once with a Spotify account five years ago.  Do you remember that password?"  

Nope.  But, hot-darn that was the solution.  

 

While I'd done everything under the sun to lock down my accounts, you know, since 2015, I'd left a backdoor to Spotify in the form of an account and a password I didn't care about at the time.  Who'd have thought that five years later I'd be more concerned that my AI overlord's suggestions would be torn asunder by hacking?

 

Long story short?  Changed and revoked the password.  Bonus?  The help was able to move my Discover Weekly goodness back to its original goodness.

 

All is right in the world.  

Solution!

Re: Spotify Connect Exploit - Spotiamb 0.2.1. - hijacks user accounts to play songs.

Moderator
Moderator

Hey folks,

 

Thanks for reaching out to us about this :)

 

We just wanted to let you know that if you don't have any luck with the solutions that other users have posted here, you can always reach out to our Customer Support team here. They can help make sure that your account is fully secured.

 

Hope that helps!

PeterModerator
 
Help others find this answer and click "Accept as Solution".
If you appreciate my answer, maybe give me a Like.
 
157 Replies
Highlighted

Re: Spotify randomly starts playing tracks by itself.

colesl4w
Music Fan

EDIT: I have edited the original post to include more detail.

Re: Spotify Connect Exploit - Spotiamb 0.2.1. - hijacks user accounts to play songs.

Kikadper
Newbie

Happening to me now with "silent Evening" MediEvol. Ugh, sick of having my account hijacked... First by some mac laptop, then when I change my password. Still nothing.

Re: Spotify Connect Exploit - Spotiamb 0.2.1. - hijacks user accounts to play songs.

colesl4w
Music Fan
Login to spotify.com, go to your account, click disconnect all connections,
or something similar to that effect. It should kick the spotiamb off your
account!

Re: Spotify Connect Exploit - Spotiamb 0.2.1. - hijacks user accounts to play songs.

colesl4w
Music Fan
Sorry, "sign out everywhere" is the button you need to press.

Re: Spotify Connect Exploit - Spotiamb 0.2.1. - hijacks user accounts to play songs.

Forsh
Regular
"Sign out everywhere" doesn't seem to fix it for me.

Re: Spotify Connect Exploit - Spotiamb 0.2.1. - hijacks user accounts to play songs.

Jason
Spotify Legend

Hey @Forsh

 

This sounds like something for our Accounts team to take a look at. Could you reach over to them at https://support.spotify.com/contact-spotify-anonymous/? They'll take a look behind the scenes for you.

 

If you receive an automated reply, get back to it and this will make sure your email gets through to the correct team. Also, if you post your 8 digit case # here, we'll make sure the right team get onto this for you too.

 

I hope this helps out.

 

Re: Spotify Connect Exploit - Spotiamb 0.2.1. - hijacks user accounts to play songs.

adker
Casual Listener

Spotify's response to this issue.

 

" Thanks for your email. We understand that you're having issues with Spotiamb 0.2.1. 

Spotiamb wasn't created by Spotify. Please contact them and they'll help out with this.

We're always here if you have any problems with the Spotify service itself though. Just let us know!

Cheers,

Marc"

Come on Spotify! Give a **bleep** about those paying to keep you in business.

Re: Spotify Connect Exploit - Spotiamb 0.2.1. - hijacks user accounts to play songs.

colesl4w
Music Fan
That is insane. None of us have voluntarily had anything to do with
Spotiamb. This is an issue that the Spotify team need to deal with.

Re: Spotify Connect Exploit - Spotiamb 0.2.1. - hijacks user accounts to play songs.

adker
Casual Listener



Knock on wood, so far I have not been hijacked for a few hours. This was happening every 5 or 6 songs.

What I did...

Logged in to Spotify in my browser.
Went to "offline devices" and removed any that I was not sure of (two).
Then, "Set device password".
Logged out of spotify.
Logged back in with the new device password.

 

Fingers crossed.

Previously, I was logging in with Facebook. Changing my Facebook password did not help. Either did setting an App password in Facebook.

 

SUGGESTED POSTS