Is Spotify being crucified on a cross of media misunderstanding?

Davey Winder
Thursday, 05 March 2009 17:14

Your IT - Home IT

Let's look at the how first. It would appear that due to some sloppy coding, there was a bug in the Spotify system which meant that it had been possible to access the password hashes of individual users.

The vulnerability was both discovered and fixed on December 19th 2008. However, until that date it meant that it was possible to reverse engineer the Spotify encrypted streaming protocol and potentially brute force weak passwords of known users.

The same vulnerability also potentially exposed, along with the password hashes, full registration information including email address, date of birth, gender, postal code and billing receipt details.

Because credit card payments were not stored, with payments handled by a secure 3rd part payments provider, these were never at risk of exposure. There are several important clues here with which the impact of this breach becomes reduced.

First, it only effects those users with an account created on or before December 19th 2008. Second, only those with weak passwords which were also used for other online sites and services are at any real risk.

Spotify have made it quite clear that it was not the passwords but the password hashes that may have been exposed. These hashes were salted, so the hackers would not be able to attack them using rainbow tables.

However, individual weak passwords could be vulnerable to brute force and dictionary attacks, but not in parallel. The chances of a hacker having got your individual password hash on time, and devoted more time to cracking it just to access a free service is, well, pretty minimal.

So, sure, let's give Spotify a spanking for allowing this to happen but let's not crucify them on a cross of media misunderstanding. Now if you want to get the crown of thorns out for the potential misuse of that other personal information mentioned, that's a different story altogether.