Nostr Web Client

🧵Spotify’s DRM is Broken — How Anyone Can Download and Decrypt Songs Without Protection

This is a story about how I discovered a security flaw in Spotify’s Accesspoint API that’s been ignored for over 5 years.

Samuel 7mo ago

Back in 2020, a researcher reported a flaw to Spotify:

Their Accesspoint API lets anyone with a valid account download and decrypt song data without any DRM or device attestation

Fast forward to 2023, I independently discovered and reported the same issue to their Hackerone program.

They dismissed it and didn't take any action for more than 5 years to address or fix the issue.

After exhausting all responsible disclosure options, I feel obligated to make this information public in the hope that it will finally prompt Spotify to take action and implement proper security measures.

Reply to this note

Please Login to reply.

Discussion

Samuel 7mo ago

🔐 Step 1: Connect to Spotify’s Accesspoint API

Start a TCP connection

Perform a Diffie-Hellman handshake

Derive shared keys

Setup Shannon stream cipher for communication

👤 Step 2: Authenticate

Send username + password of the spotify account (premium OR free)

Receive ephemeral access token valid for 1 hour

Use this token to fetch metadata and download links for any track

🎶 Step 3: Download the track

Request metadata from Spotify’s internal API

Receive links to multiple audio files (bitrate varies)

Download the file of your choice

Max 160kbps for free users, higher for premium

🔓 Step 4: Decrypt the file

Request AES decryption key from the Accesspoint

Receive the raw key

Decrypt with AES-128-CTR

Done. You now have a DRM-free ready to play audio file.