mrb's blog

What the heck, Pandora?

Keywords: attack cryptography security

On Sep 20, 2012, it was reported that Pandora keeps a copy of your cleartext password in the persistent HTML5 local storage area for www.pandora.com. I decided to investigate. I reverse-engineered their javascript code and found out that Pandora merely obfuscates passwords with a single static encryption key that is the same for everybody. I wrote a javascript utility to demonstrate the vulnerability by decrypting Pandora passwords. In other words, even after a user logs out of Pandora, another user of this computer can access the local storage, recover your password, and log back into pandora.com under your identity! This is obviously an issue for shared computers (family computer, computer lab, internet coffee shop, etc).

As of Sep 21, 10:20 UTC, some report that Pandora "fixed" the issue, but this is not true. The form is not automatically populated anymore with the password, but the password is still saved in the local storage.

As of Sep 21, 11:35 UTC, it appears that Pandora removes the password from local storage when logging off. Passwords can still be stolen if users do not explicitely log off.

I put the Pandora password decryption utility up on pandorhack.zorinaq.com

Comments