Aaron Parecki

Excellent! What'd you end up using to record the stream then?

If this ends up being legit, then I'm taking away 2 things from this:

Get your support team on the same page as your marketing agencies.

They should have also sent this to me since I get a dozen messages a week from artists' PR agencies asking to be added to my playlist 😅

Oh wow, that escalated quickly...

Now they are officially claiming to be Spotify

Sending a bunch of clickbait links

Asking for your physical address...

This is both a very confusing scam, and also a very confusing promotion if legit

Yeah exactly. That was some expert level social engineering right there.

This one! https://youtu.be/bnknQ5gGvng

Yeah definitely could be that. Really you’d need to get someone from @SpotifyCares to confirm this is actually the PR agency they use. I’m pretty sure @snubs and I mentioned this in our video actually 😄

Interesting. Even if it is “legit” — as in it really is some third party company offering some sort of real service — unless they have permission from @Spotify, they can’t be going around using Spotify’s trademark in their domain and business names.

Yikes, found a reference to it in this article, definitely malware https://www.zdnet.com/google-amp/article/promethium-apt-attacks-surge-government-sponsorship-suspected/

That's exactly what I want, but across the whole internet, oh and maybe drop the password too 😅

My problem with this whole thread is that yes, of course we need something better than passwords, but also, yes, there is a lot of improvement being made right now. It's not like someone can make something that "solves passwords" and suddenly everyone will be using it.

There's a scifi book from 10 years ago about literally this, it's a trip 😂 https://amzn.to/37oaMKb

Depends on what's powering the other end of the fiber line. I guess mine is on a different grid, but I'm also in a weird spot between two different power companies.

👏 that is some A plus countertrolling 👏

I would if it were me! Just stay on high alert mode of course... don't download anything, don't connect any OAuth apps to anything, and click links only using an isolated computer. I'm always curious about these things!

yeah I suspect you're right. I'm curious what the next play is. Maybe they send you a download link to the special "Spotify VIP" app?

Clearly I need to beef it up a bit, but right now I have a UPS on the network gear and also at my desk. It can keep things powered for about 30-40 minutes, and my internet is fiber so it stays online too

No not really, that's why the redirect URL is so important to get right. It's not a great situation, but it would require cooperation from the OS in order to have a more secure flow. That said, it's also a relatively unlikely attack vector so people mostly don't worry about it.

Yes, you're right, but that doesn't mean PKCE is not secure. This is just an inherent limitation of public clients that can't use a client secret. PKCE does solve several attacks, but it doesn't provide authentication of the app itself.

That's one opinion yes. There are good arguments on both sides.