{"id":29240228,"url":"https://github.com/samuelscheit/spotify-drm-report","last_synced_at":"2026-03-01T09:35:12.848Z","repository":{"id":294455655,"uuid":"987016995","full_name":"SamuelScheit/spotify-drm-report","owner":"SamuelScheit","description":"Missing DRM Enforcement in Spotify’s Accesspoint API: Proof of Concept Report","archived":false,"fork":false,"pushed_at":"2025-05-20T13:22:12.000Z","size":803,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-26T07:04:37.468Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SamuelScheit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-20T13:01:31.000Z","updated_at":"2025-05-23T13:22:45.000Z","dependencies_parsed_at":"2025-05-20T14:42:15.873Z","dependency_job_id":null,"html_url":"https://github.com/SamuelScheit/spotify-drm-report","commit_stats":null,"previous_names":["samuelscheit/spotify-drm-report"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/SamuelScheit/spotify-drm-report","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamuelScheit%2Fspotify-drm-report","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamuelScheit%2Fspotify-drm-report/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamuelScheit%2Fspotify-drm-report/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamuelScheit%2Fspotify-drm-report/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SamuelScheit","download_url":"https://codeload.github.com/SamuelScheit/spotify-drm-report/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SamuelScheit%2Fspotify-drm-report/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263389534,"owners_count":23459413,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-07-03T19:38:52.786Z","updated_at":"2026-03-01T09:35:12.777Z","avatar_url":"https://github.com/SamuelScheit.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Missing DRM Enforcement in Spotify’s Accesspoint API: Proof of Concept Report\n\nThis report details a flaw in Spotify's Accesspoint API, which allows any user with a valid Spotify account to download and decrypt songs without any Digital Rights Management (DRM) enforcement.\n\nThis vulnerability was reported to Spotify both in January 2020 (by another researcher) and again by myself in August 2023. For more than 5 years no action has been taken to address or fix the issue.\n\nAfter exhausting all responsible disclosure options, I feel it’s necessary to make this information public in the hope that it will finally prompt Spotify to take action and implement proper security measures.\n\n## [Demo](https://youtu.be/adMpsinuZvU)\n\nhttps://github.com/user-attachments/assets/c21064e6-c902-4de9-a0d9-e9df769f1708\n\n## [Proof of concept](./src/examples/download.ts)\n\n## Report:\n\nSpotifys Accesspoint api does not enforce any Digital Rights Management (DRM) system to request and decrypt songs, apart from requiring a valid Spotify account (free or premium).\nThis allows any spotify user to download and decrypt songs from Spotify without verifying the system's integrity via DRM.\n\nThe following report describes the process of downloading and decrypting songs from Spotify without using any DRM system:\n\n1.  Connect to Spotifys Accesspoint tcp api\n2.  Setup the transport layer encryption\n\n    - generate random ephemeral Diffie–Hellman keys\n    - send a ClientHello message with the ephemeral public key\n    - wait for the APResponseMessage that contains the remote public key\n    - calculate a shared Diffie–Hellman key via the ephemeral private key and the remote public key\n    - use the previously sent ClientHello/APResponseMessage and the shared key to derive symmetric send/receive keys and a HMAC hash\n    - sent the HMAC hash as ClientResponsePlaintext message\n    - use the derived symmetric send/receive keys to setup Shannon ciphers for further communication\n\n3.  Authentication\n\n    - Authenticate by sending a ClientResponseEncrypted message with the username and password of a valid Spotify account (can be premium or free)\n    - Wait for the APWelcome message to indicate successful authentication\n    - send a MercuryRequest message with the following uri `hm://keymaster/token/authenticated?scope=playlist-read\u0026client_id=65b708073fc0480ea92a077233ca87bd\u0026device_id=00000000-0000-0000-0000-000000000000` where client_id is the permanent client id of the official Spotify client and device_id is any random uuid\n    - wait for the MercuryReply message that contains the ephemeral access token that is valid for 1 hour\n\n4.  Download song\n\n    - Send a HTTP request to the url `https://spclient.wg.spotify.com/metadata/4/track/\u003ctrack_id\u003e` with the ephemeral access token as the Authorization header and `track_id` of the desired track\n    - The response JSON object has an array `file` with different URLs to download the track\n    - Download the file with the desired bitrate and codec from one of the URLs\n    - Note: The file urls are valid for a limited time and each file is encrypted with a different AES 128 CTR key\n    - Note: free accounts can only download files with a maximum bitrate of 160kbps\n\n5.  Decryption\n\n    - Request the decryption key from the Accesspoint api by sending a RequestKey message with the `track_id` and `file_id` of the downloaded track\n    - Wait for the KeyResponse message that contains the decryption key\n    - Decrypt the downloaded file with the AES 128 CTR decryption key\n\nThe decrypted track can then be played with any media player that supports the codec of the downloaded file.\n\n### Conclusion:\n\nIn contrary to the web player, which uses the Widevine DRM system to verify the integrity of the client and only allows playback of songs in the web player.\nThe Accesspoint/SPClient api does not use any DRM system to verify the integrity of the client.\nThe only necessary information to download and decrypt songs is the track id and a valid Spotify account, which can be registered for free by anyone.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamuelscheit%2Fspotify-drm-report","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsamuelscheit%2Fspotify-drm-report","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamuelscheit%2Fspotify-drm-report/lists"}