Spotify Wrapped – Site Identity Hygiene Study

Today I was made aware of Spotify Wrapped. On the surface, it seems like a cool little tool to get a perspective of your music-listening habits on Spotify in the last year:

“Take a look at how you listened. Because no one else listened exactly like you.”

But when I visited the site, something smelled fishy (pun intended). I did some poking around and here’s what I found:

  1. The site is hosted on a non-Spotify domain: spotifywrapped.com
  2. The site uses a free Let’s Encrypt certificate that covers spotifywrapped.com and does not specify an Organization.
  3. The official Spotify domain uses a Digicert certificate that covers *.spotify.com and specifies that it belongs to an Organization “Spotify AB”.
  4. All the links on the website – Legal, Privacy, Cookies, etc. – point to spotify.com URLs.
  5. The site uses Oauth to connect to the user’s Spotify account and get access to their listening data. The Oauth prompt says “You agree that 2018 Wrapped is responsible for its use of your information in accordance with its privacy policy.” This messaging is confusing – “2018 Wrapped”? And “its privacy policy” – the site links to Spotify’s official privacy policy page and does not have one of its own.

Upon Googling, I was able to find a Spotify Newsroom (or “For The Record”?) article confirming that this is indeed a Spotify product. Spotify Newsroom/For The Record is hosted on a subdomain of Spotify, and is therefore trustworthy.

This is problematic, because I could very easily make another site (spotifywarped.com maybe? 😉), get a Let’s Encrypt cert, link to Spotify official policy pages, and maybe even use Oauth to get access to user data, all the while pretending to be Spotify.

This sets precedent, and conditions users into more easily trusting their personal data with websites hosted on arbitrary domains – making it easier to craft successful phishing attacks piggy-backing on brand trust. I think this is less than ideal for the security of the Web.

I want to acknowledge that people who build these products/tools are often under constraints and sometimes it’s necessary to make compromises in order to ship. But I think developers should prioritize site identity hygiene – for the health of the web.

This site should have been on a subdomain of spotify.com. Or at the very least, I’d have been relatively happy with a link to a Spotify-hosted document (like the news article) verifying that Spotify Wrapped is authentic. The more Web developers practice identity hygiene, the more browsers can take advantage of that to build tools and UX to help users protect themselves. It’s an ecosystem.

[Update] Unrelated to identity hygiene, but just realized the website also doesn’t support Firefox on Android – “This website is optimized for certain devices and browsers. Sorry about that.” 🙁

Leave a Reply

Your email address will not be published.