
Spotify ads infect users with malware - spaniard_dev
https://community.spotify.com/t5/Ongoing-Issues/Spotify-Free-ads-causes-browser-to-launch-on-malware-virus/idi-p/1461222
======
pedalpete
I'm not sure how much I believe this unless I see video proof (or have it
happen on my machine).

I see how this might be possible as the ads are loaded via javascript, but the
javascript running the ads should be owned by Spotify, not the advertising
company, that should just be an image file. Somebody please correct me if I'm
wrong.

On another note, this statement "Some of them do not even require user action
to be able to cause harm." makes me trust this even less. If the ad is opening
a new browser window, that browser window is sandboxed. Sure it can ask the
user to take an action, but it can't take an action on behalf of the user.

Anybody else have insights on this?

~~~
yaegers
>"Some of them do not even require user action to be able to cause harm."
makes me trust this even less. If the ad is opening a new browser window, that
browser window is sandboxed. Sure it can ask the user to take an action, but
it can't take an action on behalf of the user.

Google "drive-by download" and see how that is precisely what can happen.
[https://en.wikipedia.org/wiki/Drive-
by_download](https://en.wikipedia.org/wiki/Drive-by_download)

" Any download that happens without a person's knowledge, often a computer
virus, spyware, malware, or crimeware.[1]

Drive-by downloads may happen when visiting a website, viewing an e-mail
message or by clicking on a deceptive pop-up window:"

Personally I would never trust that anything browser related is truly
sandboxed. If that were the case, why would I need anti malware scanners and
tools?

This is, by the way, another reason why I use adblock and noscript. So that
when I visit a site for the first time, nothing active element related will
automatically run. So, in this case, even if the ads from spotify open my
webbrowser and a tap to a malicious site, I would just close it and be done
with it. It is still weird why an ad should have the ability to call an open
url command at all.

------
wcummings
>it will launch - and keep on launching - the default internet browser on the
computer

>it's still puzzling something like this can actually happen.

I think the interesting thing is that its the default browser. If the ads were
in an embedded trident or gecko frame, would something like window.open open
the default browser?

