What is Detectify?

Guest blog: Karim Rahal on a Spotify playlist hack

January 26, 2016

Karim Rahal is a 13-year old independent researcher from Lebanon. Back in September he discovered a vulnerability in Spotify that allowed anyone to create a playlist in any user account’s or artist’s name and publish it. Karim reported the vulnerability to Spotify who fixed the security issue within a week. An advisory on his findings were later published on the ethical security platform, vulnerability-lab.com

This is Karim Rahal, a 13-year old Web Application Security Researcher and Ethical Hacker from Lebanon. I find security issues inside websites that could lead to exploitation for bad intentions (BlackHat Hacking), and then I report them.

Spotify Karim Guest Blog Detectify

During the summer of 2015, I was going around Spotify, researching for different vulnerabilities, when I came across the website feature that allows you to restore deleted playlists right into your list of playlists. By tampering with that request, I discovered I could create a playlist in any user’s name and then publish it.

Technical details

Basically, when asking to restore a deleted playlist, the website sends a request to the launcher to recreate the playlist. By tampering with the launcher, it was possible to put in a new account name, and publish the playlist in that person’s name instead. In the below example I created a playlist for Spotify.

This video demonstrates a cross site request forgery web vulnerability and a privilege escalation vulnerability in the official Spotify online service web-application. The vulnerability doesn’t require any user interaction for the exploitation of the privilege escalation which makes it near critical.

I came across the restore feature inside Spotify’s web application. The first thing that interested me was to find out how the feature really restored “deleted” playlists, so I went forward and captured the request with a proxy interrupting tool.

The Post content was as follows: playlist=spotify/user/(user)/playlist/(playlist)/

There was something interesting in the post content, the request was specifying the exact directory of the playlist.

I tried to change the specified directory from /user/karimmtv/ into /user/spotifydiscover and ran the request. The page then said “message”:”restored”.

I was shocked, but I was still doubting that anything actually happened, so I opened the Spotify launcher, and looking at my list of “playlists” I noticed a new un-named playlist. When trying to open it though, it would endlessly load.

I was about to give up, until I noticed how to glitch the renaming system in Spotify. Through double-left-clicking on the playlist 2 times, It allowed me to set a name for the “exploited” playlist. After setting a name to that playlist, the endless loading stopped and I could see a proper playlist, and It was by the user “spotifydiscover”.

I was astonished as I hadn’t actually planned on trying to exploit anything inside that restore feature but that moment of hope revealed an extremely critical vulnerability!

Follow up

When contacting Spotify they were first shocked by the revelation, but also very appreciative. They fixed the vulnerability within a week or so.

At the end of the day, everything is coded and developed by humans, and humans are not perfect, so there are always mistakes for security researchers like me to find and inform the vendor about. Mistakes that translate into vulnerabilities can lead to huge losses.

Remember, security comes first before functionality.
//Karim Rahal

The advisory of the vulnerability was first published on Vulnerability Lab back in September


About Karim Rahal: 

I built up my experience through admiring what others have found and then learning from their findings, and through simply researching and spending days improving my skills. My cause is to spread web security awareness, and to help companies secure and immune their websites from dangerous vulnerabilities that can lead to dangerous exploitation.

Twitter: @KarimPwnz

Karim

Karim Rahal with Suzan Hajj Hobeiche, Lebanon’s Head of the Cybercrime and Intellectual Property Bureau