PT-2024-22327 · Spotify · Yourspotify

Ragingcactus

Published

2024-03-13

Updated

2024-03-15

CVE-2024-28193

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions YourSpotify versions prior to 1.8.0

Description The issue allows attackers with access to a public token for guest access to obtain Spotify API tokens of users. This can lead to the extraction of profile information, listening habits, playlists, and other data from the corresponding Spotify profile. Additionally, attackers can control playback in the Spotify app.

Recommendations For versions prior to 1.8.0, upgrade to version 1.8.0 to resolve the issue. As a temporary workaround, consider restricting access to the /me API endpoint until the upgrade is applied. Avoid using the public token feature in the settings until the issue is resolved.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2024-28193

GHSA-3782-758F-MJ85

Affected Products

Yourspotify

PT-2024-22327 · Spotify · Yourspotify

CVE-2024-28193

Weakness Enumeration

Related Identifiers

Affected Products

References · 6