Spotify Device Name and Folder Name XSS

Found some “Self-XSS” bugs on Spotify. This issue is caused by the mobile device name not being sanitized before being displayed by the WebView in the Spotify Desktop application as shown by the broken image tag. Unfortunately this bug did not qualify for bounty of any sort on Hackerone as it is considered a harmless “Self-XSS”.

The other folder name bug seems to be a duplicate that has been reported by someone else but not fixed. These bugs are considered harmless to Spotify and thus they have not been fixed.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s