July 13, 2026
How I Discovered a Premium Bypass Vulnerability in Spotify — And What Happened Next A first-time…
By Nikhil Garg
4 min read
How I Discovered a Premium Bypass Vulnerability in Spotify — And What Happened Next A first-time bug bounty researcher's journey through responsible disclosure.
After 90 days of responsible disclosure with zero response, I am publishing this today.
The Simple Version Imagine accessing Spotify Premium for free — no ads, unlimited skips, complete on-demand playback — without paying a single rupee. Not through a modded app, not through a cracked APK, but through Spotify's own official apps working against each other on your existing Android device. That's exactly what I found.
Who Am I My name is Nikhil Garg. I'm an independent security researcher and a second-year engineering student. This was my first ever bug bounty report. I'm publishing this after completing a full 90-day responsible disclosure process with no resolution from Spotify's security team. I'm not publishing this out of frustration. I'm publishing this because the security community deserves transparency, other new researchers deserve to learn from this experience, and Spotify's users deserve to know.
Background — How Spotify's Free Tier Works Spotify's business model depends on two revenue streams — Premium subscriptions and advertising. To incentivize upgrades, the free tier on Android enforces strict server-side restrictions:
- Shuffle-only playback — you cannot choose specific songs
- Maximum 6 skips per hour
- Mandatory unskippable audio advertisements
- No queue management
- No Smart Shuffle or Repeat feature These restrictions are enforced server-side, meaning Spotify's backend actively checks your account type and applies these limits. Or at least — it's supposed to.
What I Found Spotify offers a feature called Spotify Connect — it allows you to control playback across multiple devices. For example, you can start music on your browser and control it from your phone. Here's what Spotify's backend doesn't do correctly. When you establish a Spotify Connect session between the Web Player (running in desktop mode on a mobile browser) and the Android App, the backend fails to re-validate your account's subscription status on the controller device. The Android App incorrectly inherits the Web Player's unrestricted session state. In technical terms, the product_type: free attribute is never re-checked during the cross-device handoff. The result is a complete authorization bypass — entirely on a single Android device, using only official Spotify apps.
What Gets Bypassed Once the session is established, the Android App unlocks: ✓ Smart Shuffle and normal shuffle toggle — strictly Premium-only on mobile ✓ Unlimited track skips — no warnings, no limits enforced ✓ On-demand track selection — search any song and play it directly ✓ Queue management — add, remove and reorder tracks freely ✓ Repeat feature — locked for free mobile users Additionally, when the Web Player session runs through a browser with a built-in ad blocker such as Brave Browser — which is free, widely available, and requires zero technical knowledge — audio advertisements are blocked entirely. The combined result is an experience completely identical to a paid Spotify Premium subscription, at zero cost.
Reproduction Steps
- On your Android phone, download Brave Browser (free on Play Store)
- Open Brave and go to open.spotify.com
- Tap the three dots menu and enable Desktop Site mode Log in with your free Spotify account and start any track
- Open the official Spotify Android App on the same device
- Tap the Devices icon and connect to the active Web Player session
- On the Android App — select any song directly, skip freely, toggle shuffle, manage your queue Every Premium feature now works. No subscription required. Reproducible in under 2 minutes.
Why This Is Severe — The Weaponization Scenario This vulnerability is not just a manual one-user exploit. It is fully automatable. A malicious actor could build a wrapper application that: Silently opens Spotify's Web Player in a background browser in desktop mode Auto-connects the Android client via Spotify Connect Delivers a complete Premium experience to any free user with a single tap Such an application requires zero technical knowledge and could be distributed to millions of Android users worldwide. The impact is not theoretical — it directly eliminates both of Spotify's primary revenue streams on Android: Premium subscriptions and advertising income — at massive scale.
The Disclosure Timeline March 11, 2026 — Report submitted to Spotify via HackerOne (#3598063) March 12, 2026 — Closed as Informative — "product design issue, not a security vulnerability" March 12, 2026 — First follow-up submitted with specific video timestamps proving Premium feature bypass March 12, 2026 — Second follow-up submitted with additional bypassed features — Queue Management, Unlimited Skips, On-Demand playback March 13, 2026 — Second PoC video submitted as additional evidence March 19, 2026 — Third follow-up requesting senior analyst review per program bounty table March 25, 2026 — Technical clarification submitted focusing on ad-bypass revenue impact April 2, 2026 — Final consolidated follow-up with new PoC video and documented weaponization scenario April 11, 2026 — Formal 90-day responsible disclosure notice posted — June 9, 2026 publication date given June 9, 2026 — Disclosure deadline passed with zero technical response from Spotify July 13, 2026 — Contacted Spotify support directly — directed back to HackerOne July 13, 2026 — Publishing today after 124 days with no resolution.
What I Learned As A First-Time Researcher Bug bounty hunting as a new researcher is genuinely difficult — not because finding bugs is impossible, but because the system creates significant barriers for newcomers. HackerOne requires a minimum Signal score of 0 to request mediation. New accounts start at "--". This creates a catch-22 where a new researcher with a legitimate finding has no recourse if a triage team makes an incorrect call. I followed every rule, waited respectfully between comments, provided extensive evidence across 4 videos and multiple follow-ups, and still had no path to escalation. This is not a criticism of HackerOne as a platform — it is a structural reality that new researchers should understand before investing significant time in their first report. Despite the outcome, I learned more about security research, responsible disclosure, and backend authorization failures from this one report than I could have from any course or tutorial.
A Final Note to Spotify This report was submitted entirely in good faith. I am a student researcher who found a genuine vulnerability in your platform and followed every ethical guideline in reporting it. If this vulnerability has already been patched — I would genuinely appreciate acknowledgment. If it has not — I hope this publication prompts an immediate fix to protect both your revenue model and your advertiser relationships. I hold no ill will. I simply believe the security community and your users deserve transparency.