Spotify recently patched an exploit that allowed Chrome users to download any of the company’s 20 million songs free and clear. By using a browser extension called Downloadify, subscribers were able to take advantage of an exploit (or simple lack of security) in Spotify’s web player.
According to reports, the web player – which debuted in November 2012 – didn’t utilize any sort of encryption. What’s more, the browser extension was free and readily available via the Chrome Web Store. All one had to do was start playing a song on Spotify and the extension would begin to download a full DRM-free copy of the song in MP3 format.
Widespread news of the exploit first hit the web yesterday. Google quickly removed the app from the Chrome Web Store, citing they remove apps that do not comply with their terms of service. Spotify said they were aware of the matter and have already issued a patch to prevent further use of the exploit. We’re still waiting on an official release from Spotify on the matter, however.
It’s worth pointing out that premium (paying) members are allowed to “store” music locally via what Spotify calls offline mode. This allows users to enjoy their favorite tunes without an Internet connection but of course this function requires a paid subscription.
The app’s developer, Robin Aldenhoven, acknowledged the fix on Twitter earlier today. He told The Verge that he had no plans to update the extension to circumvent Spotify’s new security measures, however.