No. 1 Story

ACCC clears Optus to scrap HFC network and use NBN instead

The ACCC has cleared, provisionally, the proposed deal between Optus and NBN Co under which Optus is to be paid around $800m to shut down its HFC network and transfer customers onto the NBN. read more

Related Articles

Adoption of cloud computing has reached a tipping point  - but don’t expect legacy...
In yet another blow to the Facebook IPO this week, following the withdrawal of...
Recruitment technology and social media have played a significant role in growing business in...
Need a new One with 4G speeds at an XL size, while still being...
Kogan's latest Agora tablet offers the joys of Android 4.0 Ice Cream Sandwich with...

Is Spotify being crucified on a cross of media misunderstanding?

Your IT - Home IT

Let's look at the how first. It would appear that due to some sloppy coding, there was a bug in the Spotify system which meant that it had been possible to access the password hashes of individual users.

The vulnerability was both discovered and fixed on December 19th 2008. However, until that date it meant that it was possible to reverse engineer the Spotify encrypted streaming protocol and potentially brute force weak passwords of known users.

The same vulnerability also potentially exposed, along with the password hashes, full registration information including email address, date of birth, gender, postal code and billing receipt details.

Because credit card payments were not stored, with payments handled by a secure 3rd part payments provider, these were never at risk of exposure. There are several important clues here with which the impact of this breach becomes reduced.

First, it only effects those users with an account created on or before December 19th 2008. Second, only those with weak passwords which were also used for other online sites and services are at any real risk.

Spotify have made it quite clear that it was not the passwords but the password hashes that may have been exposed. These hashes were salted, so the hackers would not be able to attack them using rainbow tables.

However, individual weak passwords could be vulnerable to brute force and dictionary attacks, but not in parallel. The chances of a hacker having got your individual password hash on time, and devoted more time to cracking it just to access a free service is, well, pretty minimal.

So, sure, let's give Spotify a spanking for allowing this to happen but let's not crucify them on a cross of media misunderstanding. Now if you want to get the crown of thorns out for the potential misuse of that other personal information mentioned, that's a different story altogether.