Update: Spotify has patched the hole in its Web Player that was allowing the Downloadify plug-in to download songs from the streaming service.
The Chrome extension is no longer able to connect to Spotify, with a more secure protocol now in place to stop it being able to access songs that have been stored locally (in offline playlists).
Original story continues:
A duplicitous Chrome plug-in allows Spotify users to download music from the music streaming service.
It exploits the fact that Spotify allows users to store an offline version of each song (if they are premium subscribers) with minimal encryption.
But instead of just a temporary cache, once you have the Downloadify plug-in you can download a full, DRM-free MP3 file of any song simply by hitting play on the fledgling Spotify Web Player.
Oops I did it again
Although the Downloadify extension has now been removed from the Chrome Web Store (Google says it doesn't "comply with our terms of service", can't think why), it is still available from GitHub and the fact that the loophole exists will be worry enough for record labels.
Technically, the extension could allow you to sign up to Spotify for a month, download all the music you fancy then cancel your subscription. If that sounds fair and legal to you then you may need a trip to Ethics Academy - check your rum and pieces of eight at the door.
It's a real nightmare for Spotify - labels are notoriously easy to upset and its success as a music-streaming service relies on the strength of its library as much as anything else. And with royalty talks reportedly on-going, the timing's not great either.
Quite aside from the moral question mark over basically stealing music, the legality of the extension is pretty shaky so we'd really recommend you not trawl GitHub for it.
We're waiting to hear from Spotify with its reaction to the extension - we can bet it won't be a positive one though.