This video demonstrates a cross site request forgery web vulnerability and a privilege escalation vulnerability in the official Spotify online service web-application. The vulnerability doesn’t require any user interaction for the exploitation of the privilege escalation which makes it near critical.
I came across the restore feature inside Spotify’s web application. The first thing that interested me was to find out how the feature really restored “deleted” playlists, so I went forward and captured the request with a proxy interrupting tool.
The Post content was as follows: playlist=spotify/user/(user)/playlist/(playlist)/
There was something interesting in the post content, the request was specifying the exact directory of the playlist.
I tried to change the specified directory from /user/karimmtv/ into /user/spotifydiscover and ran the request. The page then said “message”:”restored”.
I was shocked, but I was still doubting that anything actually happened, so I opened the Spotify launcher, and looking at my list of “playlists” I noticed a new un-named playlist. When trying to open it though, it would endlessly load.
I was about to give up, until I noticed how to glitch the renaming system in Spotify. Through double-left-clicking on the playlist 2 times, It allowed me to set a name for the “exploited” playlist. After setting a name to that playlist, the endless loading stopped and I could see a proper playlist, and It was by the user “spotifydiscover”.
I was astonished as I hadn’t actually planned on trying to exploit anything inside that restore feature but that moment of hope revealed an extremely critical vulnerability!
Follow up
When contacting Spotify they were first shocked by the revelation, but also very appreciative. They fixed the vulnerability within a week or so.
At the end of the day, everything is coded and developed by humans, and humans are not perfect, so there are always mistakes for security researchers like me to find and inform the vendor about. Mistakes that translate into vulnerabilities can lead to huge losses.
Remember, security comes first before functionality.
//Karim Rahal
The advisory of the vulnerability was first published on Vulnerability Lab back in September