Spotify Community

Hey there @Dsg76, 

 

Thanks for reaching out to the Community. Help's here.

 

Would you mind sending over some more information about what's happening? 

 

It would also be helpful to know your device's make, model, OS version and Spotify version so we can investigate further. 

 

Keep us posted.

I think the original post is pretty clear here, the problem is your insanely insecure implementation of your Connect feature. I have a Yamaha AVR, and my nephew came over a few weeks ago, and pushed Spotify (from his phone) to my speaker system. Now, he can play music to my AVR anytime he wants. I cannot turn this off. This is insane and a horrid feature. Please help. Yamaha RX-780 AVR

Nephew has an iphone.  I dont really use spotify at home.  

What other info would you like?

Hey @Dsg76, 

 

Thanks for getting back to us. We understand this is not ideal and we'd like to help you sort this out.

 

Just to confirm, is it only happening with your receiver or have you noticed it happening with other speakers?

 

You could also try resetting your receiver to see if you notice anything new. It's possible that it might have somehow cached your nephew's details. 

 

Let us know how it goes.

Ok, I feel like you are missing the larger issue here. 

 

Answer me this.  Why is a Spotify app able to play music to a REMOTE set of speakers?  This should only work while connected to a local WiFi network, but for some reason Spotify has made this something to do remotely.  

 

You enable this feature, giving power to the user of the app, leaving the owner of the speakers helpless to disable it.   This goes for all smart speaker devices.  Again, did you read the original post the guy made??   He is pretty clear.   

 

I would like to understand how Spotify justifies this.

Hey @Dsg76,

 

We'd recommend you do a factory reset on the speaker. This way all details entered on it will be forgotten.

 

Another option would be to ask your nephew to Log Out Everywhere. This way his account will be disconnected from the speaker in question and won't have access to it.

 

Hope this helps. Don't hesitate to reach out again if you have questions.

Hi- 

 

I find it impressive that no support person will address the question I asked, and will not address the original post.  Is there a product manager than can chime in here?

 

So I should factory reset my home theater system, because someone ELSE added my speakers to YOUR app, an app that I never logged into on my AVR.   In fact it sounds like you are asking me to treat your app like MALWARE.  

 

The problem here is Spotify, and your implementation of Connect.  Its insecure and NOT OK.   When you want to address this, let me know.  

 

Until then, i will block the ports on my router and work with Yamaha directly to disable spotify.  I was actually thinking about buying the service recently, I can tell you that isnt happening now.  

 

 

Hey @Dsg76,

 

Thanks for your post.

We take user safety very seriously, however we can't prevent users from logging in with their details on someone else's device if they have physical access to it. 

 

If you have any ideas on how the functionality of the app can be improved you can create an idea on the relevant idea board. We always take new ideas and feedback into consideration to improve the app. Here you can read more on how ideas work.

 

We also suggest checking this help article for useful tips on how to submit an idea. As a heads-up, it's good to know that the higher the number of votes an idea gets, the more likely it is for the idea to be implemented.

 

Hope this helps. Let us know if you have any more questions.

We take user safety very seriously, however we can't prevent users from logging in with their details on someone else's device if they have physical access to it. 

 

Right- I get that if they on my home WiFi at the time, they should be able to access my speakers.  That is expected behavior.  Once they leave my home, and no longer are on my WiFi, why would they continue to keep the ability to control my speakers?

 

Note: they never had physical access to my AVR, it just uses bluetooth.  

Hi @Dsg76,

 

Thanks for the reply.

 

Remote control of devices is a feature that we receive a lot of positive feedback about and based on the opposite end of the feedback spectrum - for users who want only the local functionality we added options within the app to show only local devices and also to forget a device once it's added.

 

There's also an automatic forget period for devices that don't get re-connected within a given timeframe.

 

So we did our best to provide the best of both worlds, for both types of user behavior. We however, cannot control how third party hardware developers add such "forget" features and don't have access to neither our own user settings or the devices involved to force the options to be used.

 

Ultimately, if someone was able to get physically close to the device to modify it locally or was given access to the local network, this must've happened with the consent of the network administrator or device owner. As such, it is their responsibility that no one with malicious intent would be given the WiFi password or direct access of a device. Besides to recommend to be careful who you give access to to your network and devices, we really can't do much else, besides completely taking the remote control option out, which would in turn anger everyone who enjoys controlling their devices while at a different location.

 

Bluetooth has a maximum operating range of 10 meters and is independent of the Spotify app or remote access, so the AVR most likely has network connectivity options, besides Bluetooth.

 

Hope you find this information useful. We're always a click away if you have more questions.

I can see why people like it, but at the same time, the system owner should be able to maintain control of their own hardware.  

 

The most logical solution is to give the owner of the devices the ability to disable Spotify Connect.   Sure, have it on by default, but give the owner that choice.  Note that I never have even logged into my Spotify on my AVR, its just enabled along with other streaming services.  

 

I strongly disagree that once I give someone my WiFi, they are forever entrusted with access to my speakers.  Even if someone played music by accident, that would be enough of a reason, and even worse you could never know who that person was since there is no log.   For now I have blocked the ports on my router, so connect traffic is blocked for good.    

Hi @Dsg76, 

 

Thanks for your message. 

 

We completely understand your concerns. However, keep in mind that we're unable to influence what the third party developers decide to implement by using our API. 

 

As we previously mentioned, there's a built-in timeout that kicks in if a device hasn't been accessed locally in a set amount of time. 

 

If anything else comes up, we're always a message away.

 

Take care. 

Sorry to bring up an old thread and a long post but i've been watching this issue via multiple threads for a couple of years now and is the primary reason i've not purchased spotify I feel so strongly this is a bad idea. I cannot believe the last person to connect to my speaker can continue to connect without my ability to control their access or remove their connection myself (without me having to be in the same location as the speaker to play something to it which does disconnect them).

I would like to know more about "there's a built-in timeout that kicks in if a device hasn't been accessed locally in a set amount of time". In my testing even after 12 hours, with a test device and different spotify account I was still able to connect to speakers I had previously connected to (provided nobody else has connected to the speaker since which does sever connections to other users). How long is the magical timeout period?

I see many standard responses from spotify such as:
- Reset the speaker - why should I have to do this to disconnect a remote user who was a guest at my house from my system?
- Ask the remote user to disconnect - again, why, it is my speaker at my house. I should have the ability to do this myself.
- Ask the user to sign out - this is nothing to do with the user signing into my speaker, they have simply played something to it via connect. Spotify's own helpdesk article specifically says that this only signs them out from devices they have signed into with credentials, it does not sever connections to speakers etc so is no good in this situation.
- "for users who want only the local functionality we added options within the app to show only local devices and also to forget a device once it's added" - again, I don't have control as the owner of the speaker, the guest who has since left my house is the one in control and the one who is being asked to turn on/off such features.
- "Ultimately, if someone was able to get physically close to the device to modify it locally or was given access to the local network, this must've happened with the consent of the network administrator or device owner. As such, it is their responsibility that no one with malicious intent would be given the WiFi password or direct access of a device. Besides to recommend to be careful who you give access to to your network and devices, we really can't do much else, besides completely taking the remote control option out, which would in turn anger everyone who enjoys controlling their devices while at a different location" - no problems with this, but that connection should not be persistent once they leave my WiFi network with me powerless to revoke it! And there is nothing stopping that user accidentally (or on purpose) playing anything to my speakers at possibly inappropriate times and volume levels! It should time out quickly after not being within local range of the speaker.


I get the ability to control the speaker when on a different network in some circumstances however I feel strongly that:
- I should have the ability to control who has access and revoke it without relying on the guest who was previously at my house to do something on thier end.
- It should definately lose the connection automatically after a timeout, I feel that something like 1 hour would be plenty - see question above, what is this timeout as whatever it is now, i've tested up to 12 hours and could still connect. Very easy for somebody to leave my house then play to my devices at inappropriate hours at any volume!

Hopefully somebody at Spotify is still monitoring this and can advise.
Thanks!