Spotipy Cache File Permission Vulnerability Allowing Token Exposure

A vulnerability exists in Spotipy, a Python library for the Spotify Web API, in versions prior to 2.25.1. The issue arises in the CacheFileHandler class, where the cache file storing the authentication token is created with overly permissive 'rw-r--r--' (644) permissions by default. This misconfiguration allows unauthorized access to the Spotify auth token, which could be exploited by another user on the same machine or a process running under a different user account. Depending on the token's scope, this could lead to unauthorized administrative actions on the Spotify account.

Impact

The vulnerability could result in unauthorized access to the Spotify auth token, allowing an attacker to perform administrative actions on the affected account, based on the token's permissions. In a worst-case scenario, this could include exfiltrating liked songs or playlists, deleting content, or modifying content without permission. Additionally, if a remote code execution vulnerability in Spotify were exploited, the auth token could be used to manipulate playlists or control playback, potentially leading to further exploitation.

Reproduction

To reproduce this vulnerability, run an application that uses Spotipy for authentication. The CacheFileHandler will create a cache file in the user's home directory with the default permissions of 644. If the home directory has 'o+r' permissions, an attacker could read the file and steal the auth token.

Remediation

Users can upgrade to Spotipy version 2.25.1 or later, where the cache file permissions have been tightened to 'rw-------' (600), preventing unauthorized local access to the auth token.