Spotify has officially launched a new in-app direct messaging feature called Messages, now available to both Free and Premium users aged 16 and above in select regions. The update went live on August 26, 2025, and is designed to make sharing music, podcasts, and audiobooks more seamless while encouraging social engagement inside the platform.
How the Messaging Feature Works
With Messages, Spotify users can:
- Tap the share icon from the Now Playing screen.
- Select a contact from their suggested list.
- Send tracks, playlists, or podcasts, along with text and emoji reactions.
Conversations are stored under the user’s profile menu. Suggested recipients are based on prior activity such as collaborative playlists, Jams sessions, or Family and Duo plan interactions.
Security Infrastructure Behind Messages
Spotify built Messages on a RESTful API over HTTPS (TLS 1.3), secured with JSON Web Tokens (JWT) for session authentication. The company enforces encryption both in transit and at rest while scanning for harmful or illegal content under its Terms of Use and Platform Rules.
Users remain in control with the ability to:
- Accept or reject message requests.
- Block unwanted senders.
- Disable the feature entirely in Settings.
Security Concerns and Risks
Cybersecurity researchers caution that any new messaging tool can open doors to potential exploitation if not tightly secured. Key risks include:
- Cross-Site Scripting (XSS): Attackers could inject malicious JavaScript if message fields are not sanitized.
- Cross-Site Request Forgery (CSRF): Spam or phishing links could be sent to a victim’s contacts.
- OAuth Exploitation: Fake websites could trick users into granting access tokens.
- Manipulated Spotify URIs: Attackers might swap safe links with malicious deep-link schemes to redirect users or trigger harmful app behavior.
Mitigation Recommendations
Experts suggest Spotify should enforce:
- Strict input validation.
- SameSite=strict cookies.
- Content Security Policy (CSP) headers.
- Regular refresh token rotation during suspicious activity.
Balancing Social Sharing and Security
As Spotify’s Messages feature expands globally, the platform must ensure a balance between smooth music discovery and strong security safeguards. For users, practicing safe clicking habits and being cautious of suspicious links will remain essential in avoiding compromise.
