Karim Rahal is a 13-year old independent researcher from Lebanon. Back in September he discovered a vulnerability in Spotify that allowed anyone to create a playlist in any user account’s or artist’s name and publish it. Karim reported the vulnerability to Spotify who fixed the security issue within a week. An advisory on his findings were later published on the ethical security platform, vulnerability-lab.com
This is Karim Rahal, a 13-year old Web Application Security Researcher and Ethical Hacker from Lebanon. I find security issues inside websites that could lead to exploitation for bad intentions (BlackHat Hacking), and then I report them.
During the summer of 2015, I was going around Spotify, researching for different vulnerabilities, when I came across the website feature that allows you to restore deleted playlists right into your list of playlists. By tampering with that request, I discovered I could create a playlist in any user’s name and then publish it.
Basically, when asking to restore a deleted playlist, the website sends a request to the launcher to recreate the playlist. By tampering with the launcher, it was possible to put in a new account name, and publish the playlist in that person’s name instead. In the below example I created a playlist for Spotify.