Spotify Cross Site Scripting

`Title:  
======  
Spotify Playlists - Persistent Cross Site Scripting Vector  
  
  
Date:  
=====  
2012-11-27  
  
Introduction:  
=============  
Spotify is a Swedish music streaming service offering digitally restricted  
streaming of selected music from a range of major and independent record  
labels, including Sony, EMI, Warner Music Group and Universal. Launched in  
October 2008 by Swedish startup Spotify AB, the service had approximately  
ten million users as of 15 September 2010, about 2.5 million of whom were  
paying members. Total users reached 15 million by August 2012, 4 million  
of them paying monthly. As of November 2012, the service is available in  
Andorra, Australia, Austria, Belgium, Denmark, Faroe Islands, Finland,  
France, Germany, Republic of Ireland, Liechtenstein, Luxembourg, Monaco,  
the Netherlands, New Zealand, Norway, Spain, Sweden, Switzerland, the  
United Kingdom and the United States.  
  
The system is currently accessible using Microsoft Windows, Mac OS X,  
Linux, Telia Digital-tv, iOS, Android, BlackBerry, Windows Mobile, Windows  
Phone, S60 (Symbian), webOS, Squeezebox, Boxee, Sonos, WD TV and MeeGo.  
  
Music can be browsed by artist, album, record label, genre or playlist as  
well as by direct searches. On desktop clients, a link allows the listener  
to purchase selected material via partner retailers.  
  
A six month free trial period is activated upon Spotify account  
registration or first login with a Facebook account, where a user can  
listen to an unlimited amount of music supported by visual and radio-style  
advertising. After the trial, Spotify has a listening limit of 10 hours  
per month, divided into a 2.5 hour streaming allocation each week (with  
any unused hours carrying over to the next week). An "Unlimited"  
subscription removes advertisements and time limits and a "Premium"  
subscription introduces extra features such as higher bitrate streaming,  
offline access to music and mobile app access. An active Facebook account  
is required to use Spotify if the user has signed up using Facebook, but  
as of 30 August 2012 the option to make a Spotify username has been  
reintroduced. Subscriptions are restricted to people with credit/debit  
cards or PayPal accounts registered in certain countries.  
(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype)  
  
  
Abstract:  
=========  
I found a Persistent Cross-Site Scripting vector on the play.spotify.com  
website.  
  
Report-Timeline:  
================  
2012-11-22: Researcher Notification & Coordination  
2012-11-22: Vendor Notification  
2012-11-22: Vendor Response/Feedback  
2012-11-23: Vendor Fix/Patch  
2012-11-27: Public or Non-Public Disclosure  
  
  
Status:  
========  
Published  
  
  
Affected Products:  
==================  
Spotify  
  
  
  
Exploitation-Technique:  
=======================  
Remote  
  
  
Severity:  
=========  
High  
  
  
Details:  
========  
Playlists where not escaped on the play.spotify.com website  
  
http://25.media.tumblr.com/tumblr_mdwhqe3to51rkjs15o2_1280.png  
  
Proof of Concept:  
=================  
1. Create a playlist  
2. Name it ">{CODE_HERE}  
  
  
`