Spotify has moved quickly to plug a security hole in its web player that had briefly allowed users to download tracks for free.
An extension to the Google Chrome browser called Downloadify had exploited a Spotify vulnerability which enabled each of the 20 mllion songs available through the service to be stored to the user’s computer.
The extension took advantage of Spotify’s Premium service, which lets paid up members download a certain number of tracks to play offline. It appears those tracks are completely DRM free.
Potentially those with a keen eye for music piracy may have used the service to amass a gigantic free music library on Spotify’s dime.
Upon hearing about the issue, Google quickly deleted the Downloadify extension (although it’s still available through websites like GitHub).
Spotify has confirmed the issue has been fixed although it is yet to make an official statement on the subject.
Downloadify was created by Dutch developer Robin Aldenhoven who revealed the extensions yesterday, claiming Spotify “forgot to encrypt their music.”
In a series of tweets, he criticised Spotify for sending DRM-free tracks out to users and claimed the company had “broken their commitment” to artists for doing “so little to protect their library.”
Earlier today he added: “Seems like @Spotify fixed the player 🙂 the extension doesnt work anymore. Still no official response….”
He said that Spotify fixed the problem in an “acceptable way” and claimed he didn’t wish to harm the company by seeking to further develop the Downloadify tool.
“And Spotify = Awesome… So I don’t want to damage them. Just pay for the music (its almost free),” he tweeted.
Judging by his comments, it appears the developer was attempting to be helpful, in pointing out Spotify’s weakness, but we’re not sure the Swedish streaming giant will feel the same way.