
Spotify and Facebook: Is that phishing? - linx
https://weluse.de/blog/spotify-an-facebook-ist-das-schon-phishing.html#spotify-and-facebook-is-that-phishing
======
noonat
The fact that the user was logged into Facebook after giving Facebook
credentials to Spotify is not the problem. The login screen communicates that
this will occur. Maybe it doesn't communicate it as well as it could, but it
does communicate it.

The problem is that Spotify added itself to the user's list of apps and
granted itself access to the user's data without any communication that this
would occur. I guess you could say that permission for Spotify to do that is
implicitly granted by giving them your Facebook credentials. But these days,
federated authentication and authorization are two different things for end
users -- especially so for Facebook apps. Spotify should _at least_ prompt the
user before making these changes on their behalf. Very underhanded behavior.

~~~
szidev
Here's the tricky part: they do ask for permission to post on your behalf when
you open the app. It's pretty muted, at the bottom of a popup, and dwarfed by
a larger, more colorful call to action.

Here's a screenshot: <http://i.imgur.com/oWDstiC.png>

It's also not entirely obvious to me what happens in every case. If I close
the popup, does it still count as my giving consent? If I close the app? My
guess is that most people skim over the copy and click the big blue button,
totally disregarding the checkbox down there.

~~~
pbhjpbhj
Well spotted. But a user who'd disabled/cancelled/deactivated their FB account
would assume that action was moot rather than that Spotify were going to
illegally access a secondary service posing as you in order to enable that
activity.

------
ineedtosleep
I'm ashamed that this doesn't surprise me much. This looks like a huge
oversight on Facebook's part, but with the countless reports on Facebook
failing with privacy here, there and everywhere, it's like I don't care
anymore.

The thing that numbs me even more is that client work, no matter how good of
an argument one gives, will always have some form of third-party social login
because it's oh-so-important and users will _always_ use it.

~~~
scottmp10
It isn't an oversight by Facebook - it is by design. Facebook was a part of
the decision to use Facebook login credentials to log into Spotify.
Additionally, Facebook does not list access to your friend list (and your
friend's email addresses) in their list of permissions. Rather, those details
are implicit in using Facebook to authenticate.

As an example, using FB to authenticate with Quora does not list access to
friends list in the permissions but Quora will send an email to every friend
of yours already on Quora to notify them that you joined.

Another issue with this is that if you have never given any Facebook
permission to Blizzard, but happen to use the same email address as listed on
your Facebook account then Blizzard will attach your real name to your account
without your permission.

~~~
intelekshual
Facebook does not give implicit permission to access "your friends' email
addresses." In fact, they don't grant that permission under any circumstance.

~~~
nitrogen
What I believe the OP was saying is that they grant access to the friends
list, and that Quora already has many of their e-mail addresses. Thus, they
indirectly get access to your friends' e-mail addresses.

------
RexM
It says "Facebook Email or Spotify Username" in the login box before typing in
a username/email.

As far as I know, spotify uses username for login, and not email. By using
your email, it's assuming you want to use facebook.

~~~
dkersten
And yet that in no way gives them the right to use that to log into your
facebook (rather than using the API to authenticate) and install the spotify
facebook app (giving themselves whatever permissions they like without asking
the user).

Of course, the lesson here (besides that spotify cannot be trusted) is that
you should never use a password for more than one account. Sure makes me glad
I switched to using a password manager that uses randomly generated different
passwords for each service I sign up to.

~~~
Superanos
Facebook and Spotify are tightly partnered together - at one point they
actually REQUIRED the use of Facebook to log in. The option to register
without Facebook was only reintroduced recently.

~~~
seivan
Not true, I don't use Facebook and I was one of part of the Open Beta many
years ago.

~~~
mitchty
In the US, when spotify first opened up to Americans you could sign up without
facebook credentials. About a month later, they decided to go facebook only
for new setups.

------
Create
Facebook and Spotify share a number of investors: billionaire Li Ka Shing has
a stake in Facebook and Spotify. Yuri Milner’s DST Global, which owns roughly
10% of Facebook, is also in negotiations to buy a stake in Spotify. Facebook’s
founding president and Napster founder Sean Parker, sits on the board of
Spotify.

[http://benjamin.sonntag.fr/Moglen-at-Re-Publica-Freedom-
of-t...](http://benjamin.sonntag.fr/Moglen-at-Re-Publica-Freedom-of-thought-
requires-free-media)

~~~
stanleydrew
I don't understand this comment. Many companies share investors, especially at
the level of Facebook and Spotify.

Are you trying to suggest that a mutual investor somehow has enough product
control to strong-arm Facebook and Spotify into this?

~~~
ersii
I assume the parent post does - and so do I, in at least this particular case.
Seeing how closly knit Facebook and Spotify are.

There's not just a shared investor group - there's also a partnership between
the two companies. And it's pretty strong, as in; yes, it does seem like they
have shared product control or at least great influences on each others
product management

Mark Zuckerberg is listed and quoted as one of the references on their sign up
page, by the way.

~~~
stanleydrew
I would understand if the parent comment had noted everything in your second
and third paragraphs about the strong partnership between product teams and
Mark Zuckerberg's reference on the sign up page. That stuff seems incredibly
relevant in this context.

If the intention was to paint the companies as working closely together, talk
about how they actually work closely together, not about how the same VC firms
at two different points in time happened to give them some money.

------
benmanns
This is just Spotify not finding a user with username=[your email address] and
looking for that user on Facebook.

I did a test by creating an account with the email
benjamintesterton@mailinator.com (not linked to a Facebook account) and
username benjamintesterton. When I tried logging in with the email, it failed,
but with just the username worked.

If logging in with the email did work, it would mean that Spotify
authenticated you with their server and then abused your credential re-use to
hack your Facebook account. However, this appears not to be the case.

They should just check email=[input] OR username=[input], but that may be
backwards-incompatible and break the functionality of people who use their
Facebook credentials to login.

~~~
Superanos
That is correct. It says quite clearly "Facebook Email or Spotify Username".
It's the user's mistake for using their Facebook account instead of the
account they just created.

~~~
enaeseth
I don't think it's fair to blame the user for that. This is a standard-looking
login form that users will have seen hundreds or thousands of times before.
You don't reinterpret the words on a login form every time you see a new one;
you type in the stuff to log you in without really thinking about it.

Regardless of Spotify's intentions here, they're benefitting from users' trust
in normal login processes to get Facebook account access. Lots of designs
exploit users' automatic behaviors like that; see Dark Patterns [1].

[1]: <http://darkpatterns.org/>

------
tomarthur
Spotify is able to do this because they have partnered with Facebook. Facebook
has white listed them for a set of API's that allow them to convert a Facebook
User/Password into a Facebook auth token. Any time this whitelisted API is
called the application that called it is automatically added to the users list
of applications. Spotify is then white listed (by Facebook) for a second set
of API's that allow them to add any permission available to the Facebook
access token they were issued. This is why you see permissions being added to
the application that were not clearly communicated. Facebook requires partners
that are on these white lists to clearly communicate what is happening, but
IMO Spotify does a particularly poor job of this.

------
Superanos
It says quite clearly: "Log in with Facebook or Spotify". That means you can
log in using a Facebook account or a Spotify account.

The username field says "Facebook Email or Spotify Username". So when you type
an email, you log in using a Facebook account.

It's not that hard to understand. By the way, that account you made on the
sign up page is still unused: you logged in using a Facebook account, which is
a different account from the one you just registered, so you have two spotify
users now - one you signed up w/o Facebook and one you actually logged into.

~~~
fusiongyro
It says "Log in with Facebook or Spotify," not "Log in with Spotify, or log in
with Facebook, reactivating a disabled account if necessary, and then grant us
a bunch of permissions." Nobody cares that it attempted a Facebook
authentication. We care that it silently reactivated the Facebook account and
silently gave itself permissions.

------
todd3834
Simple solution, don't use the same password for all of your accounts and read
the instructions, it says username or facebook email.

~~~
thinkling
Not only don't use the same password, but don't give your FB password to
another app or website. Duh.

------
andreyf
If you don't want someone to mess with your Facebook account, then perhaps you
shouldn't give them your Facebook login and password...

~~~
analog
Well yes of course, you shouldn't use the same user:pass for different sites.
But a lot of people do, and that opens them up to being hacked if the password
for one site is revealed.

Spotify are knowingly logging into the OPs Facebook account without OPs
permission. Shouldn't this qualify as unauthorised access, as in a Federal
offence?

------
luser001
Amazing.

Also, this is yet another privacy threat that I dodged because I use the
PwdHash extension (<https://www.pwdhash.com/>). _You_ type the same password
for all sites, but the extension invisibly uniquifies them on a per-site
basis.

~~~
eli
Doesn't seem like a good fit for the paranoid. If you screw up and your master
password leaks, an attacker can access _all_ of your accounts.

I greatly prefer KeePass + Dropbox, which also lets you securely store
usernames and notes. And the passwords are random and not derived from
anything.

~~~
zeidrich
While it's not a perfect solution, most of the time you are not trying to
protect yourself from a dedicated, thinking, hacker. Instead you're protecting
yourself against automated systems that share passwords. Unless it was
commonplace it would avoid a majority of those issues.

------
ActVen
If this type of behavior continues to be tolerated by users, the entire
industry will suffer the backlash at some point. A few companies using
obfuscated or unclear defaults will make it more likely that the government
will bring down heavy legislation on all companies.

~~~
Elessar
Why is everyone jumping to blame Spotify for maliciousness? All I see is that
they have a bug where they instantly assume emails = Facebook login. Then they
try logging in using that email, and because this user reuses passwords, it
works.

It takes two to Tango, but I see incompetence on both sides rather than
maliciousness.

~~~
wubbfindel
It's not a "bug" if they specifically ask the user for their "facebook email"
or their "spotify username" - which of course they do!

So if the user provides their facebook email and the correct password to
match, which this user did, the correct behaviour is to log the user in via
facebook. Which of course Spotify did.

No bug there. I'd say that this is mostly user error - but possibly Spotify
could make it more obvious.

~~~
jimzvz
So reactivating the facebook account and adding the app to the facebook
account without the user agreeing to either is fine for you?

~~~
wubbfindel
I would argue that the user did agree to that when they provided Spotify with
their facebook email AND the correct password.

But, as I said before, Spotify could make this clearer.

Also see this comment: <http://news.ycombinator.com/item?id=5267040>

------
qeorge
I'd want to know if the OP ever had a Spotify account before, with the same
email (m __*@gmail.com). I suspect he has, and that Spotify account was
previously linked to the FB account.

Another strong possibility is that he has an existing Spotify account which
was created using Facebook Connect. Creating an account with FB Connect would
provide Spotify his email, and Spotify would likely have created a user record
for that email (this is the recommended behavior from FB).

If either is true, then I think this is what happened:

\- Spotify has an old user record in their database, associated with his
Facebook account. He might not realize this, especially if his Spotify account
was created via FB Connect.

\- When he created the new Spotify account, Spotify had a bug/feature which
linked the new Spotify account with the old Spotify account.

\- Spotify then sent a "logged in via FB Connect" signal to Facebook, which
caused his Facebook account to reactivate. This is normal behavior for
Facebook - FB interprets any login gesture as a signal that you want to
reactivate your account (be it a 3rd party login via FB connect, opening the
FB app on your phone, or logging into the FB website)

This seems plausible to me, and wouldn't indicate any malice. Whereas
Spotify's engineers writing a screen scraper to login to Facebook and secretly
install an app seems exceedingly unlikely.

------
INTPenis
It is, or at least was, possible to delete your facebook account. Not just
deactivate it.

<http://www.facebook.com/help/224562897555674?_fb_noscript=1>

That's in Swedish for me but I assume it's localized. It says that there are
two options, one is deactivation, and if you don't believe you'll need your
account again, the other is deletion.

------
oellegaard
So happy that I use 1password to generate random passwords for every single
service I use. This wouldn't be possible if everyone was more aware of
security - still, I find the way facebook treats its users increasingly
disturbing and seriously consider to leave it.

------
Kiro
I remember once when I was automatically logged in to my roommate's Spotify
account on my computer just because we were on the same WiFi network (?). She
had never used my computer, let alone logged in to her Spotify account on it.

I'm still not sure how or why it happened.

------
axx
I'm may be wrong here, but isn't it the case, that Facebooks re-activates your
account, as soon as you login with Facebook Connect on a 3rd-Party site?

I really hate that, but what if you're using something like _cough_
BangYourFriends _cough_ Spotify, deactivate your Facebook account and can't
use Spotify anymore? Maybe you're a paying customer to Spotify? How do you
cancel your membership if you can't login anymore?

To me this seems like a Big Communication Problem™ between the User and the
App/Facebook. The Facebook API needs a functionality that says "Using a
deactivated account for Facebook Connect re-activates your old account
automatically".

I totally disagree on methods like this, but i seems plausible in that way.

------
dendory
I somehow thought that apps could no longer 'login' to social network accounts
using usernames/passwords, so that they would have to use OAuth instead? There
should be a way that Facebook and Twitter would prevent an app from using
login information in order to bypass the 'app authorization' dialog which is
supposed to be shown to users to tell them what the app can do to their
account.

~~~
mixedbit
You mean they can't do it from Terms of Service point of view? Because from a
technical perspective there is nothing that could prevent an app or any other
piece of software to login as you once you've passed your credentials (in this
case username and password) to such app.

------
dspillett
This is why no two services know me by exactly the same email address, and
different passwords are used everywhere. If I want to share some of my
information with your app I will do so deliberately, otherwise you are not
getting anything. What's that you say? I can only sign-up via facebook? Well
then fine, I guess that means I'll be living without what-ever you are
hawking.

------
kmfrk
This is pretty shameless, even for Facebook.

~~~
tlrobinson
Except it's Spotify doing it, not Facebook...

~~~
mjschultz
Unless Spotify has some backdoor API with Facebook, it seems like a major
oversight in the Facebook API that an (any?) app can re-register a deactivated
account and give itself whatever permissions it wants.

Just because Spotify accidentally (or purposefully) took advantage of that
hole doesn't mean it's not Facebook at fault here.

------
mikec3k
No, it's not phishing.

~~~
jonknee
What would you call it? Asking for information for activity X and using it to
do activity Y without your permission sounds exactly like phishing to me.

------
xordon
To Summarize:

1\. using the same password for spotify and facebook is a dumb thing to do.
don't do it.

2\. by entering an email address instead of a username means spotify will use
facebook auth (it should be made more obvious to users).

3\. using facebook api to auth will re-enable your facebook account
(apparently restoring photo's and friends lists).

4\. facebook adds spotify as an app and gives it access to your facebook
account data without explicit permission.

------
Comkid
It should be noted that Spotify is directly integrated into Facebook

<https://www.facebook.com/music>

You have the ability to pause and play music from Facebook (which I doubt
exists for any other music player with any sort of Facebook integration)

------
drue
I wanted to try spotify a while back but got stuck when it required a FB
account.

Sounds like it's no longer required, but I suppose I still don't trust them
enough to try their service.

~~~
jiggy2011
You can signup with an email address , but the option is hidden quite low in
the signup page.

Best way to avoid this sort of stuff is just to sign up to spotify with
throwaway email.

I have found that it's worth buying a domain name and just tying it to a VPS
with SMTP installed (or using a third part service that offers unlimited
addresses). That way you can just generate throwaway email addresses as you
need them.

~~~
benmanns
You can also use Mailinator[0] and their many other domains for throwaway
email addresses. In fact, you can point your MX records to mail.mailinator.com
for a custom domain without running a VPS.[1]

[0] <http://www.mailinator.com/> [1]
[http://mailinator.blogspot.com/2008/01/your-own-private-
mail...](http://mailinator.blogspot.com/2008/01/your-own-private-
mailinator.html)

~~~
jiggy2011
True, but those services are quite limited and not that secure in that anybody
who knows the email address can login to your account.

~~~
ehamberg
Not necessarily. They also give you a “gibberish” address to the account. So
if I use “foobar” as my mailbox on mailinator, they will list an address like
_M8R-wk43th@mailinator too_ , that does _not_ let people log in.

------
berdon
Did anyone else read this and then scroll to the top only to realize they'd
been reading and comprehending german the entire time and then suddenly forgot
it?

I did. :/

~~~
arturkim
I actually hadn't scrolled up. I had to revisit the page to understand what
you were talking about.

------
runn1ng
It's funny though that Facebook frequently asks you for your password to your
e-mail account.

For very similar kind of thing.

------
whaevr
Spotify up on the front page of HN 2 days in a row now..and for all the wrong
reasons. Hah

------
ssapkota
That is why I always use different password for different services.

------
drivebyacct2
Use separate passwords. This is Spotify's screwup as much as Facebook's. I
noticed the same thing (because I use separate passwords) and was able to
avoid this. Stupid Spotify. That's why I run my own Subsonic server. No
uploading, nobody else's limits, etc.

