About Spotify, a friend of mine using it sent me a link to their website yesterday, and by visiting this link I was logged into her account, could see her personal informations and even change her password. I tweeted[1,2] about it as soon as I realized it. It's really a shame such a big website is so low on security…
I guess it might be a link from their desktop app to their website that she followed, but at least they could redirect to a clean url after having authenticated the user, it's okay that she sent that link to me (it was just to show me the prices of Spotify's monthly subscriptions), but what if she shared it publicly on Twitter or Facebook?
I guess it might be a link from their desktop app to their website that she followed, but at least they could redirect to a clean url after having authenticated the user, it's okay that she sent that link to me (it was just to show me the prices of Spotify's monthly subscriptions), but what if she shared it publicly on Twitter or Facebook?
[1] https://twitter.com/p4bl0/status/236967984319590400
[2] https://twitter.com/p4bl0/status/236969256187731968