🔐 Step 1: Connect to Spotify’s Accesspoint API
Start a TCP connection
Perform a Diffie-Hellman handshake
Derive shared keys
Setup Shannon stream cipher for communication
👤 Step 2: Authenticate
Send username + password of the spotify account (premium OR free)
Receive ephemeral access token valid for 1 hour
Use this token to fetch metadata and download links for any track
🎶 Step 3: Download the track
Request metadata from Spotify’s internal API
Receive links to multiple audio files (bitrate varies)
Download the file of your choice
Max 160kbps for free users, higher for premium
🔓 Step 4: Decrypt the file
Request AES decryption key from the Accesspoint
Receive the raw key
Decrypt with AES-128-CTR
Done. You now have a DRM-free ready to play audio file.
Back in 2020, a researcher reported a flaw to Spotify:
Their Accesspoint API lets anyone with a valid account download and decrypt song data without any DRM or device attestation
Fast forward to 2023, I independently discovered and reported the same issue to their Hackerone program.
They dismissed it and didn't take any action for more than 5 years to address or fix the issue.
After exhausting all responsible disclosure options, I feel obligated to make this information public in the hope that it will finally prompt Spotify to take action and implement proper security measures.
🧵Spotify’s DRM is Broken — How Anyone Can Download and Decrypt Songs Without Protection
This is a story about how I discovered a security flaw in Spotify’s Accesspoint API that’s been ignored for over 5 years.
lol ChatGPT Deep Research is trying to bypass paywalls https://cdn.nostrcheck.me/a45417070d7be1e57448581689a9ef6fb07e6afb156d3b17235456053f4a6692/6546b811e24c1e70cc62d3dacbed68050e6b6b5850f8b4efb3be832f25c00e50.webp
Just discovered that OpenAI credits expire after a year and the money is lost.
Luckily it was just $20 but still outrageous.
There’s a very insightful thread about this, stating that this practice is even illegal in Germany