Thursday 5 March 2009

Spotify: An Application Security Vulnerability

Yesterday Spotify, a Swedish based online music/social networking type business, announced their music application had been successfully breached by a “Group". The Group/attackers managed to exploit what Spotify describe as a "bug" in their software, which is PR spin, yes maybe it's a bug or just bad application design causing the issue, still most security professionals would describe it as a security vulnerability within the application. This vulnerability was fixed on 19th December 2008.

I don’t know how or even whether Spotify had been testing their application for security vulnerabilities, but in my view it’s fairly likely a decent third party application penetration test or code review would have uncovered the vulnerability long before it was taken advantage of by the mystery Group. I think it’s dangerous to assume only the “Mystery Group” had taken advantage of the vulnerability, as eluded to on the Spotify breach statement. Just who this Group is and their motives for illegally exploiting personal details are unknown to me at this time of writing.

Credit where credit is due, the Spotify application account management did not store passwords in a plaintext form, but hashed the password (i.e. the password stored as a fixed value equating to the password plaintext when processed by a hashing algorithm) using a unique key (salt), creating a unique hash value for each user's account password. This is application security best practice, unlike what we saw with the recent Monster website breach. It was these unique password hash values along with account holder's personal details which were able to be compromised within the application.

Despite the good use of “salted” hashing, an individual password hash value can be “brute forced” or ran against a “dictionary attack” by the attacker to obtain the original password in plaintext, just not on mass.

Spotify were keen to stress that credit card details were not stolen, however credit card information isn’t always the prime information target for an attacker. Personal information can be worth much more than credit card details on the black market. Obtaining a person’s website password together with a raft of personal information, especially the person’s email address and login handle, is highly valued by Internet based fraudsters. Why? because most people tend to use the same internet login credentials on all their website accounts, the average internet user tends not to understand the importance, or just poorly risk assess the importance of using different passwords with their FaceBook and online banking web accounts.

If you had signed up to Spotify prior to 19th December 2008, in addition to the Spotify advice, ensure you are not using the same password on other websites (do this anyway!), if so it goes without saying to change your passwords as soon as possible and double check nothing untoward has occurred with those web accounts.

No comments: