Spotify Community

That is not a solution.

@floweringmind

Iti is not, but by looking at the number of kudos of that idea, I don't think people care that much about it. That's sad though, because they should.

They deleted the Kudos, it was 175 with 4 pages of replies this morning

They are trying to bury this. Are you going to let them?

@skyfoxe

You have my kudos.

Added kudos and some relevant tags, plus a note as to Spotify support's absurd response to a request of revoking a third party's access.

At least for any legitimate app in the sense this is referring to, it doesn't (and shouldn't ever) directly ask for your Spotify password. This link provides the technical details if curious but the basic idea is that it triggers Spotify's Auth prompt in a new window with some data saying what it wants access to, where you log directly into Spotify itself, and then that passes a different piece of data back to the app or site saying "yes this person is ____ and you can now access what was requested with this key."

What people have an issue with is that right now that extra piece of data, the "key" to access account data possibly including the ability to make changes to followers/playlists/etc if it was requested, can't be revoked by users unless it expires on its' own. Based on my followup in one particular case, Spotify claims to be unable to revoke that access as well, which is downright dangerous. Futhermore, support suggested that I contact the third party in question to have access removed, which is reliant on the third party being well-intentioned and responsive, but also impossible according to Spotify's own documentation and developer comments since there is no way for an app/site to "give up" access once it's granted either.

Put simply: Since this is completely independent of your account details, the point of it being that you don't need to give your actual login info to a third party, changing your password has zero effect on it. Most well-designed systems for third party access to information of an account use this type of process (Facebook, Google, Twitter, etc.), but I've never seen one that you can't revoke access after it's been given which is the case here.

What truly scares me is that there are numerous video games with more secure implementations than what appears to be the case at Spotify, including one with half a million users and only one developer maintaining their API (though admittedly more are likely involved with their auth setup) which is in much better shape than this.


Edit: Added some more info on inability for a third party to give up access and on other systems which use this type of process.
Edit 2: Finished reading the docs, editing for accuracy.

Unbelievable this isn't possible