Monthly Archives: June 2017

Spotify Device Name and Folder Name XSS

Found some “Self-XSS” bugs on Spotify. This issue is caused by the mobile device name not being sanitized before being displayed by the WebView in the Spotify Desktop application as shown by the broken image tag. Unfortunately this bug did not qualify for bounty of any sort on Hackerone as it is considered a harmless “Self-XSS”.

The other folder name bug seems to be a duplicate that has been reported by someone else but not fixed. These bugs are considered harmless to Spotify and thus they have not been fixed.