Spotify, the popular European streaming service was inadvertently serving ads that were laced with malware. The advertisement, which appeared within Spotify’s Windows desktop software, didn’t need to be clicked on in order to infect a user’s machine.
The exploit would install a bogus ‘Windows Recovery’ anti-virus program.
“Users with anti-virus software will have been protected,” Spotify said in a statement.
“We quickly removed all third party display ads in order to protect users and ensure Spotify was safe to use.
“We sincerely apologise to any users affected. We’ll continue working hard to ensure this does not happen again and that our users enjoy Spotify securely and in confidence.”
The vulnerability only affects users with free subscriptions.
Security research specialists Websense said it received the first report of “malvertising” on the service at 11:30GMT on 24 March, noting that it used the Blackhole Exploit Kit – a tool for hackers – to carry out the attack.
Malvertising is usually confined to content viewed through web browsers, but this instance was displayed within the Spotify software itself for people with a free membership.
“The application will render the ad code and run it as if it were run inside a browser,” explained Websense’s Patrik Runald in a blog post.
“This means that the Blackhole Exploit Kit works perfectly fine and it’s enough that the ad is just displayed to you in Spotify to get infected, you don’t even have to click on the ad itself.
“So if you had Spotify open but running in the background, listening to your favorite tunes, you could still get infected.”