Music streaming app Spotify has been serving malicious adverts to users.

Community reports

A couple of weeks ago, a Spotify Free user posted about the issue on Spotify’s support forum. The user noted that the streaming service was repeatedly launching browser pop-ups featuring questionable downloads.

The original post has received 23 pages of comments from other users, many of whom observed similar problems. It’s also earned a direct response from Spotify.

Spotify acknowledgment

Immediately beneath the user issue report, Spotify posted a response acknowledging ‘questionable website pop-ups’.

Spotify says the issue was limited to an ad on their Free tier. Now that it is resolved, they say they will ‘monitor the situation’.

Observed behaviour

Spotify have acknowledged that the malicious advertising was opening unwanted pop-ups via the user’s default web browser.

Some Spotify users observed worse effects, including adverts that attempted to install malware. Indeed, the original support forum post mentions that ‘Some of them do not even require user action to be able to cause harm.’

Reports indicate that the recent Spotify malvertising experience was limited to Mac and Windows desktop computers.

Malvertising: what and how

Many web services sell their advertising via third-party resellers. Resellers typically automate ad sales using online auctions. Auction winners supply code that is distributed via the client websites. If the code that is distributed presents a risk to web users, it is malicious advertising.

In recent times, BBC, MSN, AOL and the New York Times have all been unwitting hosts of malvertising. Spotify now joins the lists.