back to article Spotify spews 'unencrypted' FREE MP3s all over creation

Spotify has tweaked the music player on its website after someone apparently found a way to harvest every single MP3 file from the audio-streaming service. The media biz's playback site, which launched in November, did not encrypt data streamed to the listener's web browser, it is claimed. One enterprising programmer said he …


This topic is closed for new posts.
  1. Steen Hive

    Possibly using RTMP?

    So now it's JS + rtmpdump?

  2. Destroy All Monsters Silver badge

    Artist can also choose to share their music with pink singing ponies and a barf bag.

    "Artist can choose to share their music DRM free, but we don't need to force them."

    Way to miss the point. It's about "paying" not about whether there is DRM or not. And who is that "we" he is talking about? I haven't been introduced.

    1. Joe Harrison

      Re: Artist can also choose to share their music with pink singing ponies and a barf bag.

      I spend a lot of time in clubs and the DJ comes along with his laptop and plays an MP3 which sounds great to him ON HEADPHONES. Sounds terrible however on big speakers. I'm guessing it's something to do with the psychoacoustic model.

  3. vinyl1

    MP3s are so low-quality that they are not even worth stealing.

    I was recently able to hear double-DSD rips of studio master tapes - now that is music! I am not surprised the record companies won't release stuff like that. It has 128 times the bit density of CD.

    1. Anonymous Coward
      Anonymous Coward

      Let me guess, it sounds "warmer".

      1. paulll

        ...and yet more airy. The soundstage came alive with incredibly accurate stereo imaging, although obviously this was due in no small part to the depleted uranium interconnects and the pineapple perched on the windowsill.

        1. Anonymous Coward
          Anonymous Coward

          "The soundstage came alive with incredibly accurate stereo imaging, although obviously this was due in no small part to the depleted uranium interconnects and the pineapple perched on the windowsill."

          Classic hi-fi wank. You can actually put the pineapple anywhere and it has the same effect.

    2. Anonymous Coward
      Thumb Up

      "MP3s are so low-quality that they are not even worth stealing."

      That is true, but it is not completely .mp3's fault. If you take CDDA and use lame @ 320kbps, you won't notice. But that is CDDA, which sadly is still the popular format. Now if you rip DVD-A or DTS streams and encode .mp3 @ 320, you immediately hear the difference. However, being .mp3 is generally encoded from CDDA, it is gimped from the start at the source.

      The irony of .mp3 quality is that if you download them for free, they are almost always better quality than the ones you pay for, I'd say 95% of the time. Companies are just too damn greedy to spend an extra 0.005 dollars to sell you a better quality .mp3.

      Technically, if you want higher quality .mp3's you don't buy them, because you can't :-/

    3. Anonymous Coward
      Anonymous Coward

      BD's are such low quality too that movies are not worth stealing. A "lightly" compressed video is 100Mbps which is 2.5 times that of BD. Want to see great video, uncompressed is the way to go.

      All aside. What does all that quality (video or audio) if you are listening to it on some cheap headphones, in a car with all the road noise or on a phone?

    4. Don Jefe

      Release quality has many factors involved in final decision, but a significant factor is that very few people have access to the equipment necessary to take advantage of super high quality recordings.

    5. phr0g

      CD will give perfect playback of anything in the 0 to 22 KHz range (Nyquists theorum)

      Anything more is inaudible.

      SACD is only useful for surround encoded music, HD music is only useful for making money from ignorant audiophiles.

      (Many SACDs and HD albums DO sound better, but because they have been mastered better, without nasty compression clipping the peaks - The same could be done to the CD, but then they would struggle to charge £20 for it.)

      As for MP3 at 320 KBps. It's pretty much transparent to the CD, and perfectly good.

      By the way, Spotify use the Ogg codec anyway, which is even better.

      1. Richard 22

        > CD will give perfect playback of anything in the 0 to 22 KHz range (Nyquists theorum)

        You're assuming the quantisation is only happening in 1 dimension (time). There's also the amplitude quantisation, which is done to 16bits with CD. SACD and other HD formats use more bits for the amplitude. So no, CDs will _NOT_ give "perfect" playback of anything up to 22kHz - neither will SACD etc, but they will be closer. However, it will give good enough playback for 99% of the situations people listen in (given low quality amplification, background noise, imperfect ears, not sitting in the optimal position etc etc).

        Personally I don't think my ears are good enough to tell the difference between a decent MP3 rip at ~192k VBR and 320k (or lossless for that matter). I haven't heard a really bad mp3 for many years (I remember the Xing mp3 ripper was really fast, back in the days when most encoders were slower than real time, but could produce some terrible results).

      2. Anonymous Coward
        Anonymous Coward

        Price of CDs

        "The same could be done to the CD, but then they would struggle to charge £20 for it"

        What do you mean? CDs DO cost nearly £20! Thats why huge numbers of people invest time in searching for and downloading ripped copies instead of going to HMV to buy the real thing.

    6. Anonymous Coward
      Anonymous Coward

      I quite agree but I and probably one or two more people on the planet ( sarcasm ) want their music to simply listen to, we don't want to have to buy a 1TB player and only be able to carry 10 FLAC albums around with us. A couple of hundred on a decent mobile phone is good enough for most of us and we get to carry about 1,000+ tracks in 320k.

      I shoot photos so I've spent close on £10k on camera kit to do it properly, people tell me I'm mad and that a £150 point'n'shoot pocket camera will do just as well, I know different but I'd never tell them that unless they ask.

      My photos are important to me so that's my thing, you're audio quality is important to you. I won't piss on your parade if you don't piss on mine. Each to their own and never the twain and all that.

    7. Wize

      "MP3s are so low-quality that they are not even worth stealing."

      That's like saying .jpg images are too low quality to make out what the image is.

      The compression level can be adjusted at the point of creation to make them very close to a lossless format but still have a reasonable amount of compression.

    8. MacGyver

      I only care once in a while

      I have some pretty gnarly mp3s, some of them are 15 years old, some were converted to VQFs, and then back to MP3, and the source CD has long since disappeared. On occasion I will get some sort of alien cut-in out of nowhere (perhaps caused by an errant neutrino hitting my hard-drive in just the right place, or maybe just aliens), but other than those and the occasional unlucky "cumulative compression clipping" (I know I just made that up, but what would you call the weird robotic clipping that occurs when a artifact from compression gets compressed again, but then is 4 times worse than the first time?).

      Anyway, all I was saying is that some people don't care all that much about the quality 90% of the time, not enough to even re-rip CDs to mp3s, let alone pay for some weird master that only plays on a bed of baby seal tears ran by moonbeams.

  4. ecofeco Silver badge

    Oh this is too funny

    Really? No, really?

    And with just Javascript, no less.

  5. JDX Gold badge


    Another great high publicity case to support DRM... if you want content not to be covered in security crap then act like responsible adults rather than take advantage.

  6. Mage Silver badge

    DRM on music

    Pointless to stop real pirates

    Option 1: Virtual Audio Cable

    Option 2: Two sound cards or second computer.

  7. Cameron Colley

    Am I missing something?

    ""So Spotify made a great HTML5 player for its service, but they forgot their encryption. Nice!" Aldenhoven wrote in his code bundle on GitHub."

    Since when did HTML5 allow any kind of DRM? Or is that his point?

    Personally I'd be happy to see DRM on streaming media as long as I can buy a decent copy without any usage restrictions beyond rule of law (e.g. CD, SACD, DVD Audio).

    1. diodesign (Written by Reg staff) Silver badge

      Re: Am I missing something?

      "Since when did HTML5 allow any kind of DRM?"

      Well, if Microsoft, Google and Netflix get their way...


    2. Mike007

      Re: Am I missing something?

      From the 'adobe' reference in the article i'd guess about the same time flash became part of HTML5? oh...

    3. Not That Andrew

      Re: Am I missing something?

      It never specifically disallowed DRM. However, there are proposals before the W3C to add DRM support to the standard. It will quite likely become part of the standard whenever it is finalised

      1. Cameron Colley

        Re: Am I missing something?

        Well, yes, I am aware of the proposals for DRM and the fact that they have not been accepted. However, it appears that Robin Aldenhoven is not as he seems to think that DRM is included in HTML5 for some reason.

        So either I am better informed than somebody who should know better or he knows something the rest of us don't.

  8. mickey mouse the fith

    Not a new concept

    I wrote a little tool in visual basic a long while back that ripped spotify content. I took the artist/album name from the window title, like this plugin does and recorded the raw audio stream via an audio library ( i think, it was a while ago), detecting the title change to close the current rip and encode to mp3 or whatever. It worked flawlessly and was pretty easy to code. Mine worked on the windows spotify client, i dont think they had a web service when i wrote it, although I imagine it would have done its job via a webbrowser with a little tweaking. I must dig it out and see if it still works, it would be funny if it did.

    It ripped shoutcast streams as well, great for recording improv mix tapes for offline listening.

    I was going to release it, but yknow, the law.....

  9. Anonymous Coward
    Anonymous Coward

    Oh bloody hell, he went public? Like he needs everybody to know what a genius he is? The real geniuses work this stuff out and then keep it to themselves, Now he's gone and spoiled all my freetarding fun.

  10. Major Variola

    Silly Amazon, bits are copied or don't exist!

    "The media file is not stored locally on the end user's system."

    Silly Amazon, a bit that can't be read = copied is not a bit at all! Of course your content is copied as plaintext in our system. Then the buffers are played out. Perhaps you mean, "persistently by *our* software"

  11. herman Silver badge

    Same difference

    It doesn't matter that the link is now encrypted, one can still record it just fine.

    It also seems like nobody ever heard of Streamtuner and Streamripper. There is really no reason to use Spottify, iTunes, Pandora and the like in the first place!

    I live in a country with terrible radio stations, so all I play in my car is music saved with streamripper. One USB stick can hold several weeks worth of music.

    1. Someone Else Silver badge

      Re: Same difference

      I live in a country with terrible radio stations [...].

      You live near Chicago, then?

  12. Crisp

    So back to pressing play and record on the tape deck when a song I like comes on?

    Mines the one with a mix tape in the pocket.

  13. Tim 11

    OMG - a way to get free MP3s online

    I've been waiting for years for that to happen

    1. Dr.S

      Re: OMG - a way to get free MP3s online

      Yes, it is indeed terrible. Spotify was only successful because there was no alternative way of getting access to music. Now they will completely lose all their customers.

  14. Rob Daglish Bronze badge

    @Joe Harrison

    I'd suspect that it's probably also due to the fact that the DJ doesn't take any time to properly balance and EQ the sound system too. First time I use a venue's PA, it can take ages until I'm happy that the noise I'm hearing is actually what I want to hear. Just because there is lots of expensive kit there, doesn't mean it all plays together nicely.

    Also, laptop sound cards are usually pap - if I'm outputting from a laptop to a PA, I generally use a decent USB audio interface like

    Although as I usually end up with Musical Theatre, it all gets knocked sideways by the vocals...

This topic is closed for new posts.

Other stories you might like

  • Amazon fears it could run out of US warehouse workers by 2024
    Internal research says the hiring pool has already dried up in a number of locations stateside

    Jeff Bezos once believed that Amazon's low-skill worker churn was a good thing as a long-term workforce would mean a "march to mediocrity." He may have to eat his words if an internal memo is accurate.

    First reported by Recode, the company's 2021 research rather bluntly says: "If we continue business as usual, Amazon will deplete the available labor supply in the US network by 2024."

    Some locations will be hit much earlier, with the Phoenix metro area in Arizona expected to exhaust its available labor pool by the end of 2021. The Inland Empire region of California could reach breaking point by the close of this year, according to the research.

    Continue reading
  • Hangouts hangs up: Google chat app shuts this year
    How many messaging services does this web giant need? It's gotta be over 9,000

    Google is winding down its messaging app Hangouts before it officially shuts in November, the web giant announced on Monday.

    Users of the mobile app will see a pop-up asking them to move their conversations onto Google Chat, which is yet another one of its online services. It can be accessed via Gmail as well as its own standalone application. Next month, conversations in the web version of Hangouts will be ported over to Chat in Gmail. 

    Continue reading
  • It's a crime to use Google Analytics, watchdog tells Italian website
    Because data flows into the United States, not because of that user interface

    Updated Another kicking has been leveled at American tech giants by EU regulators as Italy's data protection authority ruled against transfers of data to the US using Google Analytics.

    The ruling by the Garante was made yesterday as regulators took a close look at a website operator who was using Google Analytics. The regulators found that the site collected all manner of information.

    So far, so normal. Google Analytics is commonly used by websites to analyze traffic. Others exist, but Google's is very much the big beast. It also performs its analysis in the USA, which is what EU regulators have taken exception to. The place is, after all, "a country without an adequate level of data protection," according to the regulator.

    Continue reading
  • Google to pay $90m to settle lawsuit over anti-competitive behavior on the Play Store
    US developers that qualify could receive more than $200,000

    Google is to pay $90 million to settle a class-action lawsuit with US developers over alleged anti-competitive behavior regarding the Google Play Store.

    Eligible for a share in the $90 million fund are US developers who earned two million dollars or less in annual revenue through Google Play between 2016 and 2021. "A vast majority of US developers who earned revenue through Google Play will be eligible to receive money from this fund," said Google.

    Law firm Hagens Berman announced the settlement this morning, having been one of the first to file a class case. The legal firm was one of four that secured a $100 million settlement from Apple in 2021 for US iOS developers.

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading
  • Amazon shows off robot warehouse workers that won't complain, quit, unionize...
    Mega-corp insists it's all about 'people and technology working safely and harmoniously together'

    Amazon unveiled its first "fully autonomous mobile robot" and other machines designed to operate alongside human workers at its warehouses.

    In 2012 the e-commerce giant acquired Kiva Systems, a robotics startup, for $775 million. Now, following on from that, Amazon has revealed multiple prototypes powered by AI and computer-vision algorithms, ranging from robotic grippers to moving storage systems, that it has developed over the past decade. The mega-corporation hopes to put them to use in warehouses one day, ostensibly to help staff lift, carry, and scan items more efficiently. 

    Its "autonomous mobile robot" is a disk-shaped device on wheels, and resembles a Roomba. Instead of hoovering crumbs, the machine, named Proteus, carefully slots itself underneath a cart full of packages and pushes it along the factory floor. Amazon said Proteus was designed to work directly with and alongside humans and doesn't have to be constrained to specific locations caged off for safety reasons. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • FTC urged to probe Apple, Google for enabling ‘intense system of surveillance’
    Ad tracking poses a privacy and security risk in post-Roe America, lawmakers warn

    Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.

    US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions. 

    In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading

Biting the hand that feeds IT © 1998–2022