Spotify flaw allows songs to be downloaded for free

Encryption flaw allows users to download Spotify tracks as MP3 files

Barry Collins
8 May 2013

A flaw in Spotify's web-based player allows users to download any song as an MP3 file.

The flaw was first exploited by a Chrome extension called Downloadify, which was quickly pulled from the Chrome Web Store following reports of the exploit on The Verge.

However, it remains available via various online repositories, and can still be sideloaded into the Chrome web browser. We successfully installed and downloaded tracks using the extension this morning.

The extension automatically initiates a download of any song that's played via the Spotify web player. The user doesn't even have to wait for the song to finish playing, as the track is downloaded immediately, making it easy for users to download songs as quickly as their broadband connection can deliver them.

The downloads arrive as MP3 files with a bit rate of 160Kbits/sec, which is half the maximum quality bit rate on Spotify, but more than good enough for listening to on personal MP3 players.

The flaw reportedly takes advantage of a lack of encryption on Spotify's web player, and could land the service in big trouble with its record label partners, which will doubtless be unhappy to see their assets made so readily available for download.

Spotify was unavailable for comment at the time of publication.

Read more about: