Introduction
The other day I read a very interesting blog, it showed me how one could potentially encode malicious code within Spotify playlists and run this code using the Spotify API; essentially using Spotify as a CDN. I found this very interesting and since the blog did not feature a fully implemented PoC I decided to make my own.
Purpose
The purpose of this is purely educational and to raise awareness of different attack methods a bad actor may potentially use, I strongly advice against using this code for purposes other than those intended.
How it works
Generating Payload
The data here is stored within the song titles of the playlists, specifically in the first letter of each song. To make sure our data fits here and has all characters typically used within song titles we convert our data into base32 (We don’t use base64 as it contains characters not typically found in songs), with this encoded data we add songs titles for each letter, let us consider the PoC.
|
|
The above code returns the value, OBZGS3TUFATUQZLMNRXSAV3POJWGIJZJ
Playlist
Here one can easily write a script to automatically create a playlist that could hold the base32 output, below is the PoC Playlist,
As you can see taking the first letter of each song in the order presented would give us our payload.
Extracting
Now one just has to write code to read the songs in the playlist, take the first letter in each song title, decode and execute the payload. Below is a part of the PoC available on Github here,
|
|
The above code takes the first letter of every song in the playlist and decodes it from base32 into a string, this string is our malicious code which is then executed. The result of this is,
To run the code one must have APIs keys from Spotify, these can be found here. After receiving both the keys make sure you authorize your client by running the following in a terminal,
|
|
|
|
Limitations
- This method however would be limited by the song limit Spotify has on playlists (10,000 songs)
Conclusion
I hope you found this as interesting as I did, the blog where I read about this can be found here.