back to article Spotify apologises for tainted ad kerfuffle

Spotify has promised to review its security following an attack that exposed users of the free version of its music streaming service to malware on Thursday. Tainted ads displayed to music fans served up content from sites that used the Blackhole Exploit Kit in an attempt to infect users with the Windows Recovery fake anti- …


This topic is closed for new posts.
  1. The Cube

    Simple cure for this type of problem

    Don't allow any non HTML content for the Crapverts, no Adobe Crash player, no Javascript, no irritating flashing moving crap, no cross site content. If your product is too shit for people to want it or your ad agency too retarded to produce a decent ad using just HTML the problem is not the lack of animated crapware.

    I use Spotify occasionally, but only in a browser and only with NoScript and Adblock blocking most of the crap. If you want users to trust your application then you need to distributed an application rather than a security vulnerability package dressed up as an app. Get rid of the crap or end up like the AIM client. I wouldn't run their app in a disposable VM.

    1. Anonymous Coward
      Anonymous Coward


      How do you use spotify 'in the browser'? Are you sure you're not thinking of grooveshark? In any case, I'm sceptical any streaming service would work properly with noscript, you can barely navigate pages these days without allowing some pointless javascript.

  2. Kanhef

    One solution

    Don't serve third-party ads. Having no advertisements at all would be ideal, but many web sites depend on them as their only source of revenue. So turn them into first-party ads by getting the ad content, running it through a malware scanner or three, and host them on the site itself. In addition to blocking poisoned ads, this would get rid of ad network tracking, and allow highly-targeted advertising (e.g., on social networks) without sharing personal information with other companies. Everyone wins.

    1. Fatman

      RE: One solution

      Third party ads are (usually) served from CDNs (Crapvertising Delivery Networks) that have large pipes. If those ads were served from YOUR host, then YOU need the bandwidth, and end up paying for it.

      1. Anonymous Coward

        adverts are small beans... bandwidth terms when you're a music streaming outfit.

  3. Slay

    A link to the specific malware removal software would have been nice...

    as oppposed to a statement like, ' if you had a decent malware checker, you would have been fine...'

    If you open the security hole, you have a level of responsibility to get rid of any infections.

    Saying 'sorry' doesn't make it OK...

    1. Gordon Barret


      Whilst it would be good (for us and for them) for them to distribute some anti-malware in this situation, if "Third party ads are (usually) served from CDNs" then I think that the responsibility for this snafu lies fairly and squarely with the CDNs.

      If they are to be allowed to push ads to thousands or millions of users then they must be made to GUARANTEE the ads they server are malware- and virus-free.

      It's not like they are serving millions of different random ads, there would only be a relatively small number saved on their site somewhere, it is just so plainly obvious they should actually scan them to make sure they have no problems.

  4. twunt

    The Cube - Spotify does run in the browser

    Thanks for the useless advice, but Spotify can't be run via a browser.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020