See associated blog post: What the heck, Pandora?
As of Sep 21, 10:20 UTC, some report that Pandora "fixed" the issue, but this is not true. The form is not automatically populated anymore with the password, but the password is still saved in the local storage.
As of Sep 21, 11:35 UTC, it appears that Pandora removes the password from local storage when logging off. Passwords can still be stolen if users do not explicitely log off.
First, access the local storage area for www.pandora.com, key jStorage (in Google Chrome: Developer Tools, Resources, Local Storage, www.pandora.com). Then copy and paste the jStorage value into the text field below (I pre-populated it with an example). And click Decrypt. The output should expose passwords and other information such as user ID, email address, etc, of all Pandora accounts who logged in using this browser.
Decrypted values (look for "Uxxxxxxxxx.Password"):
Just view the source code of this page. The encryption algorithm and key have been extracted from http://www.pandora.com/script.combined.js (local copy: script.combined.js.20120920-19h26). The algorithm does not ressemble anything I am familiar with.
-Marc Bevand m.bevand at gmail.com