Play AppSec WarGames
Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.
Spotify Account Takeover Hack
In June 2013, Spotify encountered an unusual security vulnerability involving Unicode username normalization, which allowed attackers to hijack user accounts. This vulnerability emerged due to incorrect assumptions about the idempotency of Spotify’s canonical username normalization method, derived from the XMPP standard implemented by the Python Twisted library. Specifically, the function nodeprep.prepare used for normalizing Unicode usernames was mistakenly presumed to be idempotent, meaning repeated normalization should yield the same result. However, due to subtle differences in Unicode versions between Python 2.4 and Python 2.5, certain characters (such as special Unicode superscripts) were incorrectly normalized, allowing adversaries to create visually similar usernames that resolved to existing user accounts upon multiple normalizations.
Attackers exploited this by creating new Spotify accounts with Unicode usernames visually identical to existing accounts but normalized differently internally. When requesting a password reset for these specially crafted usernames, the normalization inconsistency caused Spotify’s system to mistakenly reset the passwords of legitimate accounts, effectively granting attackers full control. Spotify quickly responded by temporarily halting new account creation and implementing stricter validation that ensured usernames were invariant under repeated normalization. This incident highlighted critical lessons about thoroughly validating Unicode inputs, understanding the nuances of library version upgrades, and cautious reliance on external standard implementations.
We made a challenge recreating this:
Learn more about this incident from Spotify Engineering
