🧵Spotify’s DRM is Broken — How Anyone Can Download and Decrypt Songs Without Protection
This is a story about how I discovered a security flaw in Spotify’s Accesspoint API that’s been ignored for over 5 years.
Discussion
flaw about Broken over a story is for how been a — Without Songs security Anyone Decrypt in I is Can Spotify’s discovered Protection
This Download Accesspoint 🧵Spotify’s 5 DRM API and ignored that’s years. How
Back in 2020, a researcher reported a flaw to Spotify:
Their Accesspoint API lets anyone with a valid account download and decrypt song data without any DRM or device attestation
Fast forward to 2023, I independently discovered and reported the same issue to their Hackerone program.
They dismissed it and didn't take any action for more than 5 years to address or fix the issue.
After exhausting all responsible disclosure options, I feel obligated to make this information public in the hope that it will finally prompt Spotify to take action and implement proper security measures.