Today I was made aware of Spotify Wrapped. On the surface, it seems like a cool little tool to get a perspective of your music-listening habits on Spotify in the last year:
“Take a look at how you listened. Because no one else listened exactly like you.”
But when I visited the site, something smelled fishy (pun intended). I did some poking around and here’s what I found:
- The site is hosted on a non-Spotify domain:
- The site uses a free Let’s Encrypt certificate that covers
spotifywrapped.comand does not specify an Organization.
- The official Spotify domain uses a Digicert certificate that covers
*.spotify.comand specifies that it belongs to an Organization “Spotify AB”.
- All the links on the website – Legal, Privacy, Cookies, etc. – point to
Upon Googling, I was able to find a Spotify Newsroom (or “For The Record”?) article confirming that this is indeed a Spotify product. Spotify Newsroom/For The Record is hosted on a subdomain of Spotify, and is therefore trustworthy.
This is problematic, because I could very easily make another site (
spotifywarped.com maybe? 😉), get a Let’s Encrypt cert, link to Spotify official policy pages, and maybe even use Oauth to get access to user data, all the while pretending to be Spotify.
This sets precedent, and conditions users into more easily trusting their personal data with websites hosted on arbitrary domains – making it easier to craft successful phishing attacks piggy-backing on brand trust. I think this is less than ideal for the security of the Web.
I want to acknowledge that people who build these products/tools are often under constraints and sometimes it’s necessary to make compromises in order to ship. But I think developers should prioritize site identity hygiene – for the health of the web.
This site should have been on a subdomain of
spotify.com. Or at the very least, I’d have been relatively happy with a link to a Spotify-hosted document (like the news article) verifying that Spotify Wrapped is authentic. The more Web developers practice identity hygiene, the more browsers can take advantage of that to build tools and UX to help users protect themselves. It’s an ecosystem.
[Update] Unrelated to identity hygiene, but just realized the website also doesn’t support Firefox on Android – “This website is optimized for certain devices and browsers. Sorry about that.” 🙁