The Idea

Services like Youtube to MP3 hint at a simple workaround to purchasing music. This project aims to illuminate the presence of an unprotected exploit and arises from a spirit of curiosity. I use python to read a Spotify user's playlist, search and download from youtube based on tracks, and verify downloads with music recognition.


My code begins with a Spotify user. Any user can be authorized with the Spotify API. All of a user's saved tracks can then be accessed in the JSON format.


I query Youtube with each Spotify track using a Google API. If a suitable track is found, it is downloaded with youtube-dl and its cover art is downloaded from online.

ACR Cloud Console

I next build an app with ACR Cloud Console. ACR offers an API to enable music recognition (in the same way as Shazam). Each downloaded youtube track is verified with ACR; I ensure that each track downloaded from youtube is, in fact, the track I expected it to be. When a the ACR result does not match the Spotify track used to search, a reasonable number of further videos are downloaded from youtube and checked until a match is found.

An MP3 Library

Once a track is verified, it is stored as title.mp3. A folder hierarchy is structured to accurately reflect which songs belong to which albums and which albums belong to which artists. The folders are robust to special characters in artist, album, and song names. At this time I am still implementing metadata tag editing so that the MP3 library essentially functions as a searchable database.

Who Cares?

My program can generate thousands of properly named and formatted commercial MP3s for free. I tested a download early on Sunday morning; of 100 songs requested, 98 could be verified and were downloaded in 8 minutes over wifi. While Spotify offers services more valuable than static music libraries, my program demonstrates serious risk to music streaming services.

What next?

If I had more time, I would use the musiXmatch API to access lyrics for downloaded songs and include them as an ID3v2 tag on each track. I would also launch a flask application to demonstrate that my program is very accessible, and in fact would have the greatest power when used by the public rather than by developers only.

I loved this project. I learned lots about python but more importantly laughed a lot and bonded with great coders, friends and strangers alike. Highlights include rushing to find an Shazam-like API when the website of the ideal API went down for the entirety of the Hackathon.

Built With

Share this project: