There are reports circulating related to the security of users’ Pandora passwords. It’s not a password leak or an attack, however, but there’s concern that passwords aren’t being well secured on users’ computers. Initially, word was that Pandora was storing cleartext passwords (meaning unencrypted) directly on users’ hard drives, which would have been a major concern. Specifically, those passwords are being stored in the HTML5 local storage area for the www.pandora.com website. However, it appears that the passwords aren’t being stored in cleartext, but are encrypted using a single static encryption key which is the same for all users. While that’s a step up from the earlier, more concerning situation, it’s still a risk.
Details of the issue were first posted to Google+ by Amber Yust, a software engineer at Google. It was soon after picked up by Hacker News.
A developer, Marc Bevand, then demonstrated how easy it would be steal a user’s Pandora password off their computer using a simple hack he created in response to the information.
This is not something that users should immediately freak out about, but it may be worthwhile to change your Pandora password if you access Pandora’s website on a shared computer or at an Internet cafe, especially if that password is one you use across the web for other sites of a more personal and private nature.
That being said, it is generally not considered a best practice to store a website’s password on a user’s computer, and if a website is going to do so, then the password should at least be properly encrypted. In fact, it’s not very common to save passwords in local storage at all. It’s also only possible in modern web browsers which support HTML5 (like the current versions of Chrome, IE and Safari now do).
In Pandora’s case, not only are passwords being stored locally, they’re not properly encrypted. Technical readers can follow the full thread on Hacker News, but the brief explanation is that the passwords are simply being obfuscated (meaning, hidden) using a single encryption key which is the same for everybody, according to Bevand’s tests seen here. In addition, he says the technique he created, a proof-of-concept hack to steal the Pandora passwords, can also expose users’ IDs and email addresses associated with the Pandora website.
Bevand updated the page to say that Pandora has today partially addressed the issue by removing the password from local storage, but that’s only the case when the user explicitly logs off. Users who simply close the browser or tab would still be affected.
The consequences of this security vulnerability in the wild are likely to be minimal, because a hacker would need physical access to a computer. However, this could affect users who share computers, like at libraries, institutions, at work, or at Internet cafes. More importantly, it raises the question that if Pandora isn’t using best practices in protecting passwords on users’ computers, how are they being stored on Pandora’s own servers, then? If the passwords were also not protected using decent encryption on their end, then a larger-scale hack could put users’ data at greater risk.
We’ve reached out to Pandora to confirm whether it’s aware of the problem and what the plan is to address this. We’ll update if/when we hear back.
UPDATE: Pandora has responded saying a fix is in the works, but downplays the vulnerability by calling it a “hypothetical” scenario. For what it’s worth, we stole a password off our own computer today using the hack but that probably doesn’t count.
The security issue reported yesterday relates to the hypothetical scenario where a hacker must first take control of a user’s personal computer and then use that access to extract that particular user’s Pandora password. Our engineering team is taking steps to address this vulnerability. At no time were passwords compromised at the Pandora server, network, or cloud level.
UPDATE 2: Pandora has now also sent the following statement below.
Pandora always encrypts passwords on the network using SSL. On the Pandora servers passwords are never recorded, instead they are salted and hashed using bcrypt and the resulting one way hash is recorded. These are industry best practices and they ensure that hackers cannot access Pandora passwords via intrusion into the Pandora datacenters or network.