Samuel

GitHub - SamuelScheit/spotify-drm-report: Missing DRM Enforcement in Spotify’s Accesspoint API: Proof of Concept Report Missing DRM Enforcement in Spotify’s Accesspoint API: Proof of Concept Report - SamuelScheit/spotify-drm-report

A proof of concept and the detailed report can be found here:

github.com/SamuelScheit...

🔓 Step 4: Decrypt the file
Request AES decryption key from the Accesspoint
Receive the raw key
Decrypt with AES-128-CTR
Done. You now have a DRM-free ready to play audio file.

🎶 Step 3: Download the track
Request metadata from Spotify’s internal API
Receive links to multiple audio files (bitrate varies)
Download the file of your choice
Max 160kbps for free users, higher for premium

👤 Step 2: Authenticate
Send username + password of the spotify account (premium OR free)
Receive ephemeral access token valid for 1 hour
Use this token to fetch metadata and download links for any track

🔐 Step 1: Connect to Spotify’s Accesspoint API
Start a TCP connection
Perform a Diffie-Hellman handshake
Derive shared keys
Setup Shannon stream cipher for communication

/3 After exhausting all responsible disclosure options, I feel obligated to make this information public in the hope that it will finally prompt Spotify to take action and implement proper security measures.

1/ Back in 2020, a researcher reported a flaw to Spotify:
Their Accesspoint API lets anyone with a valid account download and decrypt song data without any DRM or device attestation.
They dismissed it and didn't take any action for more than 5 years to address or fix the issue.

🧵Spotify’s DRM is Broken — How Anyone Can Download and Decrypt Songs Without Protection

This is a story about how I discovered a security flaw in Spotify’s Accesspoint API that’s been ignored for over 5 years.

lol ChatGPT Deep Research is trying to bypass paywalls

Paid credits expired wth? - API - OpenAI Developer Community I had made a payment of a couple hundret dollars and it says in the Usage page, that they are expired? Hello? Are you serious? Under German law, the expiration of prepaid funds is generally not permissible, as it constitutes an unfair disadvantage to the consumer (Section 307 of the German Civil Code - BGB). Additionally, companies offering services in Germany or the European Union must comply with applicable consumer protection laws. I kindly request clarification on this matter and the rein...

Just discovered that OpenAI credits expire after a year and the money is lost.
Luckily it was just $20 but still outrageous.
There’s a very insightful thread about this, stating that this practice is even illegal in Germany
t.co/WtOlhbBPdm

React Native Skia List The fastest react-native list renderer

@samuelscheit.com is cooking something incredible. I am very bullish on this new list approach. samuelscheit.github.io/react-native...

🔥 Pretty cool to fire off this blog post about RN Lists and then learn about a brand new List!

samuelscheit.github.io/react-native...

Thanks for the shoutout.
If anyone wants to help with PR‘s, bug reports, docs writing feel free to contribute, I can use any help

github.com/SamuelScheit...

Concluding from the domain, I looked up OVH bare metal server prices and configured the $159/month server option.
It has the following specs:
- CPU: AMD EPYC 4464P - 12c/24t - 3.7GHz/5.4GHz
- RAM: 64GB DDR5
- SSD: 2x 960 GB

www.ovhcloud.com/en/bare-meta...