The fact that the user was logged into Facebook after giving Facebook credentials to Spotify is not the problem. The login screen communicates that this will occur. Maybe it doesn't communicate it as well as it could, but it does communicate it.
The problem is that Spotify added itself to the user's list of apps and granted itself access to the user's data without any communication that this would occur. I guess you could say that permission for Spotify to do that is implicitly granted by giving them your Facebook credentials. But these days, federated authentication and authorization are two different things for end users -- especially so for Facebook apps. Spotify should at least prompt the user before making these changes on their behalf. Very underhanded behavior.
Here's the tricky part: they do ask for permission to post on your behalf when you open the app. It's pretty muted, at the bottom of a popup, and dwarfed by a larger, more colorful call to action.
It's also not entirely obvious to me what happens in every case. If I close the popup, does it still count as my giving consent? If I close the app? My guess is that most people skim over the copy and click the big blue button, totally disregarding the checkbox down there.
Well spotted. But a user who'd disabled/cancelled/deactivated their FB account would assume that action was moot rather than that Spotify were going to illegally access a secondary service posing as you in order to enable that activity.
I'm ashamed that this doesn't surprise me much. This looks like a huge oversight on Facebook's part, but with the countless reports on Facebook failing with privacy here, there and everywhere, it's like I don't care anymore.
The thing that numbs me even more is that client work, no matter how good of an argument one gives, will always have some form of third-party social login because it's oh-so-important and users will _always_ use it.
It isn't an oversight by Facebook - it is by design. Facebook was a part of the decision to use Facebook login credentials to log into Spotify. Additionally, Facebook does not list access to your friend list (and your friend's email addresses) in their list of permissions. Rather, those details are implicit in using Facebook to authenticate.
As an example, using FB to authenticate with Quora does not list access to friends list in the permissions but Quora will send an email to every friend of yours already on Quora to notify them that you joined.
Another issue with this is that if you have never given any Facebook permission to Blizzard, but happen to use the same email address as listed on your Facebook account then Blizzard will attach your real name to your account without your permission.
Facebook does not give implicit permission to access "your friends' email addresses." In fact, they don't grant that permission under any circumstance.
What I believe the OP was saying is that they grant access to the friends list, and that Quora already has many of their e-mail addresses. Thus, they indirectly get access to your friends' e-mail addresses.
Is this true? I hadn't seen this. I've found Facebook specifically don't let you access the emails of a user's friends. Quora could easily receive higher access of course, but this still seems like it shouldn't be possible.
But Quora gets your email address and your friend list, and then when your friend joins they get your friend's email address, so they can email you both about each other.
Oh ok, so the issue is that the person who joins last has information published about them that they may not want published. I can kinda see that but it's not something that would bother me personally. An app like Grindr yeah, but not Quora.
The issue here isn't with Facebook privacy. If I guess (or you tell me) your bank's online login information, does that give me the right to log-in to your account and start mucking with things? Facebook has an API to access your account through OAuth and Graph; Spotify should never login on your behalf.
That would be illegal (highly illegal actually). It should also be illegal to do what Spotify is doing, but I'll go out on a limb and say that they won't be held accountable. People have gone to jail for incrementing IDs in GET variables, accessing Facebook accounts without permission and installing apps goes way way beyond that.
We have thousands of usernames and passwords for users on our services. If we then tried using these to log into our users facebook accounts in order to install an app of ours we'd be rightly prosecuted. Yet this is exactly what Spotify are doing.
Ok, if we added some text saying 'Login with Facebook' to our login form and then did the above it would be exactly what Spotify are doing. And still illegal.
Spotify aren't "logging into the users account" as suggested, the user is signing in with their fb details and by adding an app to their account fb reactivates their account. The issue here is only one of poor communication, not of illegal account access. Saying otherwise is disingenuous.
We kind of have a different problem. Clients all want it in the apps we make, but analytics show that very few users use those features. Which sucks because it takes forever to implement all that stuff -_-
Do you know of any 3rd party data on that (perhaps a blog post or published data)? Intuitively I believe what you are saying, but I really want to show someone else.
And yet that in no way gives them the right to use that to log into your facebook (rather than using the API to authenticate) and install the spotify facebook app (giving themselves whatever permissions they like without asking the user).
Of course, the lesson here (besides that spotify cannot be trusted) is that you should never use a password for more than one account. Sure makes me glad I switched to using a password manager that uses randomly generated different passwords for each service I sign up to.
Facebook and Spotify are tightly partnered together - at one point they actually REQUIRED the use of Facebook to log in. The option to register without Facebook was only reintroduced recently.
For Facebook they do. They have a tight partnership. If Spotify did something wrong with their Facebook app, Facebook would have removed their app a long time ago.
In the US, when spotify first opened up to Americans you could sign up without facebook credentials. About a month later, they decided to go facebook only for new setups.
Spotify started requiring a Facebook login from all new users on 22nd September 2011. On 6th December 2012 they put the non-FB signup option back. You signed up before they required FB so you never saw the requirement.
If you read the reply again, they allowed you to use a username, then required facebook, then reintroduced the ability to user a username. You probably were using a username, before they started requiring facebook.
Facebook and Spotify share a number of investors: billionaire Li Ka Shing has a stake in Facebook and Spotify. Yuri Milner’s DST Global, which owns roughly 10% of Facebook, is also in negotiations to buy a stake in Spotify. Facebook’s founding president and Napster founder Sean Parker, sits on the board of Spotify.
I assume the parent post does - and so do I, in at least this particular case. Seeing how closly knit Facebook and Spotify are.
There's not just a shared investor group - there's also a partnership between the two companies. And it's pretty strong, as in; yes, it does seem like they have shared product control or at least great influences on each others product management
Mark Zuckerberg is listed and quoted as one of the references on their sign up page, by the way.
I would understand if the parent comment had noted everything in your second and third paragraphs about the strong partnership between product teams and Mark Zuckerberg's reference on the sign up page. That stuff seems incredibly relevant in this context.
If the intention was to paint the companies as working closely together, talk about how they actually work closely together, not about how the same VC firms at two different points in time happened to give them some money.
At the level of implementation of individual features like what happens when a user logs in with an email address instead of a username, I am absolutely suggesting that the influence is so minimal as to be irrelevant.
To be clear I think this is very serious. There is a reason I deleted my Facebook account in 2009 and have never had a Spotify account.
But you were clearly trying to suggest that shared investors have something to do with this. There's no other information in your comment except that the two companies share investors. And in the context of this incident the only possible implication of your comment is that shared investors somehow influenced this. Otherwise why post the comment at all?
This is just Spotify not finding a user with username=[your email address] and looking for that user on Facebook.
I did a test by creating an account with the email benjamintesterton@mailinator.com (not linked to a Facebook account) and username benjamintesterton. When I tried logging in with the email, it failed, but with just the username worked.
If logging in with the email did work, it would mean that Spotify authenticated you with their server and then abused your credential re-use to hack your Facebook account. However, this appears not to be the case.
They should just check email=[input] OR username=[input], but that may be backwards-incompatible and break the functionality of people who use their Facebook credentials to login.
Not just finding a user on Facebook with an email address, because they also log into the Facebook account and add their app to it. (Hence the re-activation email as well.) Very shady.
I really doubt this is Spotify's fault. Facebook has quite the trigger-finger when it comes to reactivation -- clicking a like button with the right cookies will do it, IIRC.
That is correct. It says quite clearly "Facebook Email or Spotify Username". It's the user's mistake for using their Facebook account instead of the account they just created.
I don't think it's fair to blame the user for that. This is a standard-looking login form that users will have seen hundreds or thousands of times before. You don't reinterpret the words on a login form every time you see a new one; you type in the stuff to log you in without really thinking about it.
Regardless of Spotify's intentions here, they're benefitting from users' trust in normal login processes to get Facebook account access. Lots of designs exploit users' automatic behaviors like that; see Dark Patterns [1].
Yes, true, but I thought it would be a lot more damning if they also authenticated via Spotify email, because that would mean that they accessed the Facebook account while already having authenticated the user via Spotify credentials.
Spotify is able to do this because they have partnered with Facebook. Facebook has white listed them for a set of API's that allow them to convert a Facebook User/Password into a Facebook auth token. Any time this whitelisted API is called the application that called it is automatically added to the users list of applications. Spotify is then white listed (by Facebook) for a second set of API's that allow them to add any permission available to the Facebook access token they were issued. This is why you see permissions being added to the application that were not clearly communicated. Facebook requires partners that are on these white lists to clearly communicate what is happening, but IMO Spotify does a particularly poor job of this.
It says quite clearly: "Log in with Facebook or Spotify". That means you can log in using a Facebook account or a Spotify account.
The username field says "Facebook Email or Spotify Username". So when you type an email, you log in using a Facebook account.
It's not that hard to understand. By the way, that account you made on the sign up page is still unused: you logged in using a Facebook account, which is a different account from the one you just registered, so you have two spotify users now - one you signed up w/o Facebook and one you actually logged into.
It says "Log in with Facebook or Spotify," not "Log in with Spotify, or log in with Facebook, reactivating a disabled account if necessary, and then grant us a bunch of permissions." Nobody cares that it attempted a Facebook authentication. We care that it silently reactivated the Facebook account and silently gave itself permissions.
I disagree that it's clear. A placeholder in a field is no substitute for an actual label. It should be an enhancement, not a replacement. With the number of places using e-mail addresses as usernames, it's a natural mistake.
Well yes of course, you shouldn't use the same user:pass for different sites. But a lot of people do, and that opens them up to being hacked if the password for one site is revealed.
Spotify are knowingly logging into the OPs Facebook account without OPs permission. Shouldn't this qualify as unauthorised access, as in a Federal offence?
Also, this is yet another privacy threat that I dodged because I use the PwdHash extension (https://www.pwdhash.com/). You type the same password for all sites, but the extension invisibly uniquifies them on a per-site basis.
Doesn't seem like a good fit for the paranoid. If you screw up and your master password leaks, an attacker can access all of your accounts.
I greatly prefer KeePass + Dropbox, which also lets you securely store usernames and notes. And the passwords are random and not derived from anything.
While it's not a perfect solution, most of the time you are not trying to protect yourself from a dedicated, thinking, hacker. Instead you're protecting yourself against automated systems that share passwords. Unless it was commonplace it would avoid a majority of those issues.
Agreed. But OTOH it's a very lightweight solution, which is an advantage. And in any case, it's MUCH better than using the same unhashed password everywhere.
I'm claiming that using PwdHash is strictly better than not using it. YMMV.
To be honest, that looks like it has a some drawbacks when used with different domains that use the same authentication backend.
Think Google's different domains (google.com, google.co.uk, google.nl, gmail.com etc.) The demo gives a different hashed password whenever the TLD differs. And seeing that Google by default redirects you to the homepage of whatever country you're in at the moment, you might end up getting burned by the extension when travelling.
The problem of sharing passwords across domains is one of the things that prompted me to write the password-generating service Cryptasia [1].
In short, Cryptasia uses a Google Spreadsheet entirely owned & controlled by each user as a 3rd party data store. Each row contains the friendly name of the site, the login URL, the password generation key, a list of allowed characters, which characters are required, and the length of the password to create. By using the same generator key and character sets, one can have the same password for multiple websites. The password can also be changed for a website without having to change your master passphrase, since just changing the generator key (say, adding a "1" afterward) completely changes the created password.
I know it's not as easy to use as a browser extension, but when I visited Europe it was nice to be able to hop on any computer in one of the hotels and check my email.
I can throw this on Github if anyone's interested (the source-code is all in unobscured JS, too).
> you might end up getting burned by the extension when travelling.
Good point. This could happen. I'm assuming by "burned" you mean "unable to login". If so, you can always type in your home country's domain into the webapp version and get the correct hashed password. I agree this isn't ideal. Just saying that there's a plan B.
If this type of behavior continues to be tolerated by users, the entire industry will suffer the backlash at some point. A few companies using obfuscated or unclear defaults will make it more likely that the government will bring down heavy legislation on all companies.
Why is everyone jumping to blame Spotify for maliciousness? All I see is that they have a bug where they instantly assume emails = Facebook login. Then they try logging in using that email, and because this user reuses passwords, it works.
It takes two to Tango, but I see incompetence on both sides rather than maliciousness.
It's not a "bug" if they specifically ask the user for their "facebook email" or their "spotify username" - which of course they do!
So if the user provides their facebook email and the correct password to match, which this user did, the correct behaviour is to log the user in via facebook. Which of course Spotify did.
No bug there. I'd say that this is mostly user error - but possibly Spotify could make it more obvious.
I never used the word malicious. I used the word "behavior". Behavior encapsulates incompetence, poor design, maliciousnesses, etc. I don't presume to know what was the behind the implementation...I just don't think it should be tolerated.
I'd want to know if the OP ever had a Spotify account before, with the same email (m*@gmail.com). I suspect he has, and that Spotify account was previously linked to the FB account.
Another strong possibility is that he has an existing Spotify account which was created using Facebook Connect. Creating an account with FB Connect would provide Spotify his email, and Spotify would likely have created a user record for that email (this is the recommended behavior from FB).
If either is true, then I think this is what happened:
- Spotify has an old user record in their database,
associated with his Facebook account. He might not realize this, especially if his Spotify account was created via FB Connect.
- When he created the new Spotify account, Spotify had a bug/feature which linked the new Spotify account with the old Spotify account.
- Spotify then sent a "logged in via FB Connect" signal to Facebook, which caused his Facebook account to reactivate. This is normal behavior for Facebook - FB interprets any login gesture as a signal that you want to reactivate your account (be it a 3rd party login via FB connect, opening the FB app on your phone, or logging into the FB website)
This seems plausible to me, and wouldn't indicate any malice. Whereas Spotify's engineers writing a screen scraper to login to Facebook and secretly install an app seems exceedingly unlikely.
That's in Swedish for me but I assume it's localized. It says that there are two options, one is deactivation, and if you don't believe you'll need your account again, the other is deletion.
So happy that I use 1password to generate random passwords for every single service I use. This wouldn't be possible if everyone was more aware of security - still, I find the way facebook treats its users increasingly disturbing and seriously consider to leave it.
I remember once when I was automatically logged in to my roommate's Spotify account on my computer just because we were on the same WiFi network (?). She had never used my computer, let alone logged in to her Spotify account on it.
I'm may be wrong here, but isn't it the case, that Facebooks re-activates your account, as soon as you login with Facebook Connect on a 3rd-Party site?
I really hate that, but what if you're using something like coughBangYourFriendscough Spotify, deactivate your Facebook account and can't use Spotify anymore? Maybe you're a paying customer to Spotify? How do you cancel your membership if you can't login anymore?
To me this seems like a Big Communication Problem™ between the User and the App/Facebook. The Facebook API needs a functionality that says "Using a deactivated account for Facebook Connect re-activates your old account automatically".
I totally disagree on methods like this, but i seems plausible in that way.
I somehow thought that apps could no longer 'login' to social network accounts using usernames/passwords, so that they would have to use OAuth instead? There should be a way that Facebook and Twitter would prevent an app from using login information in order to bypass the 'app authorization' dialog which is supposed to be shown to users to tell them what the app can do to their account.
You mean they can't do it from Terms of Service point of view? Because from a technical perspective there is nothing that could prevent an app or any other piece of software to login as you once you've passed your credentials (in this case username and password) to such app.
This is why no two services know me by exactly the same email address, and different passwords are used everywhere. If I want to share some of my information with your app I will do so deliberately, otherwise you are not getting anything. What's that you say? I can only sign-up via facebook? Well then fine, I guess that means I'll be living without what-ever you are hawking.
Unless Spotify has some backdoor API with Facebook, it seems like a major oversight in the Facebook API that an (any?) app can re-register a deactivated account and give itself whatever permissions it wants.
Just because Spotify accidentally (or purposefully) took advantage of that hole doesn't mean it's not Facebook at fault here.
What would you call it? Asking for information for activity X and using it to do activity Y without your permission sounds exactly like phishing to me.
There really isn't anything janky going on here, it's a poor lack of communication on the part of the spotify program and lack of understanding on the part of the user.
As for Spotify, as a long time user I love it. Very much worth a try.
You can signup with an email address , but the option is hidden quite low in the signup page.
Best way to avoid this sort of stuff is just to sign up to spotify with throwaway email.
I have found that it's worth buying a domain name and just tying it to a VPS with SMTP installed (or using a third part service that offers unlimited addresses). That way you can just generate throwaway email addresses as you need them.
You can also use Mailinator[0] and their many other domains for throwaway email addresses. In fact, you can point your MX records to mail.mailinator.com for a custom domain without running a VPS.[1]
Not necessarily. They also give you a “gibberish” address to the account. So if I use “foobar” as my mailbox on mailinator, they will list an address like M8R-wk43th@mailinator too, that does not let people log in.
Did anyone else read this and then scroll to the top only to realize they'd been reading and comprehending german the entire time and then suddenly forgot it?
Use separate passwords. This is Spotify's screwup as much as Facebook's. I noticed the same thing (because I use separate passwords) and was able to avoid this. Stupid Spotify. That's why I run my own Subsonic server. No uploading, nobody else's limits, etc.
The problem is that Spotify added itself to the user's list of apps and granted itself access to the user's data without any communication that this would occur. I guess you could say that permission for Spotify to do that is implicitly granted by giving them your Facebook credentials. But these days, federated authentication and authorization are two different things for end users -- especially so for Facebook apps. Spotify should at least prompt the user before making these changes on their behalf. Very underhanded behavior.