Type in your question below and we'll check to see what answers we can find...
Loading article...
Submitting...
If you couldn't find any answers in the previous step then we need to post your question in the community and wait for someone to respond. You'll be notified when that happens.
Simply add some detail to your question and refine the title if needed, choose the relevant category, then post.
Before we can post your question we need you to quickly make an account (or sign in if you already have one).
Don't worry - it's quick and painless! Just click below, and once you're logged in we'll bring you right back here and post your question. We'll remember what you've already typed in so you won't have to do it again.
Please see below the most popular frequently asked questions.
Loading article...
Loading faqs...
Please see below the current ongoing issues which are under investigation.
Loading issue...
Loading ongoing issues...
Plan: Premium
Country: USA
Device: Marantz AV7704, Denon HEOS1
Operating System: Embedded in speaker/processor; Any computer/device running Spotify app
My Question or Issue:
I HOPE I AM WRONG, BUT THIS IS BAD.
ANY SPOTIFY USER WHO HAS EVER ACCESSED MY SPOTIFY CONNECT CAPABLE SPEAKER / EQUIPMENT / PLAYBACK DEVICE CAN HIJACK IT AT ANY TIME FROM ANYWHERE.
THIS ISN’T JUST THOUGHTLESS DESIGN, THIS IS IRRESPONSIBLE.
I hope I’m wrong. There appears to be no way to revoke remote control of a Spotify Connect playback device / speaker / stereo / etc without being able to access the app / account on the phone / computer / etc that has previously accessed the equipment and played content through it.
Any Spotify user who joins my Wi-Fi network can discover and connect to my equipment and play music through it, whether I want them to or not. I can’t limit speaker remote control access only to my phone or computer, or specific ones that I choose. That is BAD.
Furthermore, even after they leave my Wi-Fi network, from anywhere in the world, they can turn my equipment on and play any content they want at any time, at any volume. They can even interrupt what I am currently listening to, take over my equipment, and blast anything they want into my space. They can play objectionable content to children, they can wake me and my neighbors in the middle of the night, they can play at excessive volumes and blow out my equipment. That is WORSE.
THIS IS A HUGE SECURITY HOLE IN SPOTIFY CONNECT THAT NEEDS TO BE CORRECTED IMMEDIATELY.
I can completely disconnect my equipment from the network but then I lose all functionality. My equipment allows me to disable remote access when the unit is in Standby / Off mode, but that doesn’t stop it from being hijacked when it is on and being used (most of the time).
HOW CAN I FIND OUT WHICH SPECIFIC SPOTIFY USERS HAVE THE ABILITY TO HIJACK MY EQUIPMENT AND HOW CAN I SELECTIVELY REVOKE ACCESS, PREVENTING UNWANTED USERS FROM ACCESSING MY EQUIPMENT BEHIND MY FIREWALL ON MY PRIVATE NETWORK VIA SPOTIFY’S UNSECURED NETWORK SERVICES??!!
HOW CAN I DISABLE ACCESS TO SPOTIFY CONNECT ON THIS EQUIPMENT UNTIL THIS MAJOR SECURITY PROBLEM IS CORRECTED??!!
1000% AGREE. wth Spotify??? I am just finding this out the hard way.. how to escalate something like this??
Hey there @Dsg76,
Thanks for reaching out to the Community. Help's here.
Would you mind sending over some more information about what's happening?
It would also be helpful to know your device's make, model, OS version and Spotify version so we can investigate further.
Keep us posted.
I think the original post is pretty clear here, the problem is your insanely insecure implementation of your Connect feature. I have a Yamaha AVR, and my nephew came over a few weeks ago, and pushed Spotify (from his phone) to my speaker system. Now, he can play music to my AVR anytime he wants. I cannot turn this off. This is insane and a horrid feature. Please help. Yamaha RX-780 AVR
Nephew has an iphone. I dont really use spotify at home.
What other info would you like?
Hey @Dsg76,
Thanks for getting back to us. We understand this is not ideal and we'd like to help you sort this out.
Just to confirm, is it only happening with your receiver or have you noticed it happening with other speakers?
You could also try resetting your receiver to see if you notice anything new. It's possible that it might have somehow cached your nephew's details.
Let us know how it goes.
Ok, I feel like you are missing the larger issue here.
Answer me this. Why is a Spotify app able to play music to a REMOTE set of speakers? This should only work while connected to a local WiFi network, but for some reason Spotify has made this something to do remotely.
You enable this feature, giving power to the user of the app, leaving the owner of the speakers helpless to disable it. This goes for all smart speaker devices. Again, did you read the original post the guy made?? He is pretty clear.
I would like to understand how Spotify justifies this.
Hey @Dsg76,
We'd recommend you do a factory reset on the speaker. This way all details entered on it will be forgotten.
Another option would be to ask your nephew to Log Out Everywhere. This way his account will be disconnected from the speaker in question and won't have access to it.
Hope this helps. Don't hesitate to reach out again if you have questions.
Hi-
I find it impressive that no support person will address the question I asked, and will not address the original post. Is there a product manager than can chime in here?
So I should factory reset my home theater system, because someone ELSE added my speakers to YOUR app, an app that I never logged into on my AVR. In fact it sounds like you are asking me to treat your app like MALWARE.
The problem here is Spotify, and your implementation of Connect. Its insecure and NOT OK. When you want to address this, let me know.
Until then, i will block the ports on my router and work with Yamaha directly to disable spotify. I was actually thinking about buying the service recently, I can tell you that isnt happening now.
Hey @Dsg76,
Thanks for your post.
We take user safety very seriously, however we can't prevent users from logging in with their details on someone else's device if they have physical access to it.
If you have any ideas on how the functionality of the app can be improved you can create an idea on the relevant idea board. We always take new ideas and feedback into consideration to improve the app. Here you can read more on how ideas work.
We also suggest checking this help article for useful tips on how to submit an idea. As a heads-up, it's good to know that the higher the number of votes an idea gets, the more likely it is for the idea to be implemented.
Hope this helps. Let us know if you have any more questions.
We take user safety very seriously, however we can't prevent users from logging in with their details on someone else's device if they have physical access to it.
Right- I get that if they on my home WiFi at the time, they should be able to access my speakers. That is expected behavior. Once they leave my home, and no longer are on my WiFi, why would they continue to keep the ability to control my speakers?
Note: they never had physical access to my AVR, it just uses bluetooth.
Hi @Dsg76,
Thanks for the reply.
Remote control of devices is a feature that we receive a lot of positive feedback about and based on the opposite end of the feedback spectrum - for users who want only the local functionality we added options within the app to show only local devices and also to forget a device once it's added.
There's also an automatic forget period for devices that don't get re-connected within a given timeframe.
So we did our best to provide the best of both worlds, for both types of user behavior. We however, cannot control how third party hardware developers add such "forget" features and don't have access to neither our own user settings or the devices involved to force the options to be used.
Ultimately, if someone was able to get physically close to the device to modify it locally or was given access to the local network, this must've happened with the consent of the network administrator or device owner. As such, it is their responsibility that no one with malicious intent would be given the WiFi password or direct access of a device. Besides to recommend to be careful who you give access to to your network and devices, we really can't do much else, besides completely taking the remote control option out, which would in turn anger everyone who enjoys controlling their devices while at a different location.
Bluetooth has a maximum operating range of 10 meters and is independent of the Spotify app or remote access, so the AVR most likely has network connectivity options, besides Bluetooth.
Hope you find this information useful. We're always a click away if you have more questions.
I can see why people like it, but at the same time, the system owner should be able to maintain control of their own hardware.
The most logical solution is to give the owner of the devices the ability to disable Spotify Connect. Sure, have it on by default, but give the owner that choice. Note that I never have even logged into my Spotify on my AVR, its just enabled along with other streaming services.
I strongly disagree that once I give someone my WiFi, they are forever entrusted with access to my speakers. Even if someone played music by accident, that would be enough of a reason, and even worse you could never know who that person was since there is no log. For now I have blocked the ports on my router, so connect traffic is blocked for good.
Hi @Dsg76,
Thanks for your message.
We completely understand your concerns. However, keep in mind that we're unable to influence what the third party developers decide to implement by using our API.
As we previously mentioned, there's a built-in timeout that kicks in if a device hasn't been accessed locally in a set amount of time.
If anything else comes up, we're always a message away.
Take care.
Hi everyone, I'd like to pitch in. Indeed we are experiencing the same rather unexpected and creepy feature.
In our case the unit is B&O Beoplay M5
I understand that the issue is in both ends: B&O design & features and the Spotify API capabilities. However, it looks like that the combination allows neither to take responsibility and the customer ends with a feature which seems more like a preach of privacy. I'd encourage Spotify to take action: demand a required set of features from the API users and bring a solution to the issue.
To put it lightly: not cool.
Spotify, I hate this feature. People on my network even come in and control my FireTV and I can't do anything about it. Please. Please do something about this. This is not cool and I am a premium user too.
I'm here also looking for a solution to this crazy app behaviour.
My pals think it's funny to play music at FULL VOLUME on my speakers while I sleep, or while I have company, or while I'm watching a movie... admittedly it was funny the first 10 times, but now it's ridiculous. The "timeout" you keep banging on about only happens if they don't connect for a certain amount of time, but if they do this on a weekly basis, they will ALWAYS have access!!!
I'm not bothered about the security aspect, but the fact they can put my speakers on full volume really bugs me, as it's not good for the speakers. The security aspect is also a bad thing though, so I get why people are dishing out sh*t for this feature.
I have a way to fix the problem though!
If the speaker's Alexa is registered on the same email account as the Spotify account, keep it in the app at all times.
If the user of Spotify IS NOT registered as the Alexa/Amazon user then remove access when they're out of WiFi range!
Please can this be fixed!
I have the same insane problem on a Denon DRA-800H.
Babysitter got Wifi access in our home and can ever since turn on our stereo (accidentally) from outside the house. It took me a while to discover that our network wasn't hacked but it's just a visitor from months back who still has access from miles away. It scared the **bleep** out of us.
There's no way to revoke this as owner of the device afaik. Factory reset works, but how is this even a decent solution...
On the same Wifi network sure, but without any restrictions from elsewhere? This is just plain bad design, the internet-of-things at it's worse.
For anyone still interested in this, I had the same problem and could not use the firewall to block all the IPs used by Spotify, so I ended up sending the command resetUsers to the Spotify Connect API to forget the active user. That way, the spooky remote access is revoked. Obviously, when another one connects from within the local network, the remote access is re-established. So I had the aforementioned command being sent each minute.
Info about the command (resetUsers) and where to send it can be found in the following page:
https://github-wiki-see.page/m/thlucas1/homeassistantcomponent_spotifyplus/wiki/Spotify-Connect-Zero...
For linux users, instead of dns-sd, use avahi-browse.
Hey there you, Yeah, you! 😁 Welcome - we're glad you joined the Spotify Community! While you here, let's have a fun game and get…