Spotify has promised to review its security following an attack that exposed users of the free version of its music streaming service to malware on Thursday. Tainted ads displayed to music fans served up content from sites that used the Blackhole Exploit Kit in an attempt to infect users with the Windows Recovery fake anti-virus …
Simple cure for this type of problem
I use Spotify occasionally, but only in a browser and only with NoScript and Adblock blocking most of the crap. If you want users to trust your application then you need to distributed an application rather than a security vulnerability package dressed up as an app. Get rid of the crap or end up like the AIM client. I wouldn't run their app in a disposable VM.
Don't serve third-party ads. Having no advertisements at all would be ideal, but many web sites depend on them as their only source of revenue. So turn them into first-party ads by getting the ad content, running it through a malware scanner or three, and host them on the site itself. In addition to blocking poisoned ads, this would get rid of ad network tracking, and allow highly-targeted advertising (e.g., on social networks) without sharing personal information with other companies. Everyone wins.
RE: One solution
Third party ads are (usually) served from CDNs (Crapvertising Delivery Networks) that have large pipes. If those ads were served from YOUR host, then YOU need the bandwidth, and end up paying for it.
adverts are small beans...
...in bandwidth terms when you're a music streaming outfit.
A link to the specific malware removal software would have been nice...
as oppposed to a statement like, ' if you had a decent malware checker, you would have been fine...'
If you open the security hole, you have a level of responsibility to get rid of any infections.
Saying 'sorry' doesn't make it OK...
Whilst it would be good (for us and for them) for them to distribute some anti-malware in this situation, if "Third party ads are (usually) served from CDNs" then I think that the responsibility for this snafu lies fairly and squarely with the CDNs.
If they are to be allowed to push ads to thousands or millions of users then they must be made to GUARANTEE the ads they server are malware- and virus-free.
It's not like they are serving millions of different random ads, there would only be a relatively small number saved on their site somewhere, it is just so plainly obvious they should actually scan them to make sure they have no problems.
The Cube - Spotify does run in the browser
Thanks for the useless advice, but Spotify can't be run via a browser.