Pandora Radio: local storage reveals password and other data
Pandora Radio is a popular audio streaming website that is currently only available for users connecting from the United States (either directly or through the use of a proxy). It recently became known that Pandora is saving user account information in an insecure way.
People who investigated the issue first assumed that Pandora was saving passwords and other important user account information in clear text on the server, but that is apparently not the case. Still, when you open Pandora Settings on the web you can use built-in web development tools to reveal the password in cleartext.
It turned out that local HTML5 storage is used to save the information. While the data is saved in encrypted form, a weak encryption key was used to do just that. To make matters worse, the key is the same for all users of the service.
A proof of concept script has been created in the meantime that you can use to decrypt the storage with.All you need to do is copy the storage value to the clipboard and paste it into the form on the site to decrypt the information and reveal the password, user ID and email address of all users using Pandora on the computer.
In Chrome, you find the data under Developer Tools, Resources, Local Storage, www.pandora.com. Just copy the data and paste it into the form to see the information on the screen.
This works for as long as you do not log out of pandora.com after using it. If you do, the storage gets cleared out automatically so that no one can recover your passwords using the form. This was not the case previously but highlights how you can protect your account data from third parties that have local access to your PC. If you do not log out, your account information remain in the storage locally.
It is not really an issue if you are the only user on the computer, or make sure you protect the user account properly so that no one else can simply access it. It may be more important on public computers though.
Advertisement