Pandorhack: Stealing Pandora Passwords

See associated blog post: What the heck, Pandora?

On Sep 20, 2012, it was reported that Pandora keeps a copy of your cleartext password in the persistent HTML5 local storage area for www.pandora.com. I decided to investigate. I reverse-engineered their javascript code and found out that Pandora merely obfuscates passwords with a single static encryption key that is the same for everybody. I wrote a javascript utility to demonstrate the vulnerability by decrypting Pandora passwords. In other words, even after a user logs out of Pandora, another user of this computer can access the local storage, recover your password, and log back into pandora.com under your identity! This is obviously an issue for shared computers (family computer, computer lab, internet coffee shop, etc).

As of Sep 21, 10:20 UTC, some report that Pandora "fixed" the issue, but this is not true. The form is not automatically populated anymore with the password, but the password is still saved in the local storage.

As of Sep 21, 11:35 UTC, it appears that Pandora removes the password from local storage when logging off. Passwords can still be stolen if users do not explicitely log off.

"Pandorhack" decryption tool

The following javascript utility demonstrates the vulnerability by decrypting the piece of local storage data to expose all the passwords it contains. Hopefully this will entice Pandora to implement additional measures to protect their users' passwords.

First, access the local storage area for www.pandora.com, key jStorage (in Google Chrome: Developer Tools, Resources, Local Storage, www.pandora.com). Then copy and paste the jStorage value into the text field below (I pre-populated it with an example). And click Decrypt. The output should expose passwords and other information such as user ID, email address, etc, of all Pandora accounts who logged in using this browser.

jStorage value:
{"d7bf632c6d280b756e91f047cd9ceafc":"187a36fa38d44352da955dbd67c218ae493c95bef16aacc8d8a2a0ce092675a1","bc673ea54a2b71535a7daa7edbc0d91c7fb8a7a8dd345a4d348d1d939f98fb26":"723a1eee2883abd5","bc673ea54a2b7153b501fe9035dd267f5f0b9a4af87230ad":"723a1eee2883abd5","cb1a1f1c3eb6cbd60792292d6f867cfc":"e2939e41346eff1e","35a13518aed6d442f9844a0f843c4f02":"1468422ce241e09bc4e57300032d2e94","dbd04f84341f93e0f7be829c41e7f7557fb8a7a8dd345a4d348d1d939f98fb26":"723a1eee2883abd5","dbd04f84341f93e05238d9ed2057ac185f0b9a4af87230ad":"723a1eee2883abd5","dbd04f84341f93e0a188a9b0327c45be9f676d6ad2f552d5":"ede756e162f3ff32c2d51841b617f86741f665a48c80e0ea","dbd04f84341f93e0e8ce13b6a6da2c34e1f2e56be5aaa5a7":"97a8d4da2d7f52585fbf67526a664ace"}
Decrypt

Decrypted values (look for "Uxxxxxxxxx.Password"):

Source code and author

Just view the source code of this page. The encryption algorithm and key have been extracted from http://www.pandora.com/script.combined.js (local copy: script.combined.js.20120920-19h26). The algorithm does not ressemble anything I am familiar with.

-Marc Bevand