ios-sdk icon indicating copy to clipboard operation
ios-sdk copied to clipboard
verified publisher icon spotify

Session highjacking! 3rd party app intercepting my logins.

Open fotiDim opened this issue 6 years ago • 2 comments

This is really frustrating. I got a report from a user that my app was presenting a black screen on login. After investigation it turned out that the user had an app called XM (https://apps.apple.com/us/app/xm-musi-simple-music-streaming/id1493317998) which was apparently intercepting Spotify URLs and presenting a black screen while it was at it.

As there is no way to prevent 3rd parties from declaring to be able to open Spotify URLs, my proposal to mitigate this is to switch to universal links. Currently the SDK uses the spotify-action://authorize custom scheme and this needs to change to an https scheme to prevent cases like this.

I would also like to highlight the security aspect of it as the URL that XM receives includes:

  • my client_id
  • my redirect_uri
  • my bundle id
  • URL to be played
  • and other stuff...

Essentially, XM (accidentally or not) is performing session highjacking and this shouldn't be allowed.

fotiDim avatar Jan 26 '20 17:01 fotiDim

Thanks for reporting this. That app seems to have been taken down but we will switch to universal links to prevent cases like this in the future.

kkarayannis avatar Jan 28 '20 10:01 kkarayannis

@kkarayannis have you migrated to universal links?

arielsegura avatar Jul 23 '24 14:07 arielsegura