Note: This is not a password leak - you don't need to go and change your password on every site you use. Just change your Pandora password to something that isn't used elsewhere. Pandora have at least partially patched the issue. But it's still a good idea to use different passwords for different sites.

---

If you have a Pandora account, I highly recommend using a throwaway password for it (assuming you don't do so already).

Why? Because Pandora doesn't one-way hash their passwords. If your account is logged in on a computer, anyone who sits down at that computer can go and look up your password on Pandora's settings page.

Attached is an image that shows what that settings page looks like upon load - I haven't manually entered anything into the form fields and I don't use Chrome's auto-fill; the text in the fields is populated by Pandora.... including the plaintext of the password.

Things like this are why I wrote a blog post about how to do web app auth correctly:
http://codingkilledthecat.wordpress.com/2012/09/04/some-best-practices-for-web-app-authentication/

Thanks to +Dan Boger for bringing this up.

---

Edit: Also just discovered that their password-reset tokens aren't single use. You can reset the password of an account multiple times with the same reset token link...

Also, since Pandora allows you to just change the password field and hit "Save", if you come across someone's logged-in computer, you can just change their password even if Pandora didn't tell you what it was. (The right way to do this is to require the user to enter their current password along with the new password, and pre-fill none of the fields.)

---

Edit 2: It has been pointed out in the comments that even though the password itself appears to be fetched over HTTPS, the page it is inserted into is not... and thus a man-in-the-middle attack is possible to retrieve a user's password by injecting a script into the main page that reads it from the DOM, if you have control of the upstream (e.g. if you're the owner of a public wireless network or the like).

---

Edit 3: It has been further observed that Pandora appears to store the password using local storage in encrypted form and then load it into the password box locally. While this does indicate that they probably don't send unencrypted passwords over the wire, it doesn't change the fact that it is trivially easy for someone to walk up and look at your password.

---

Edit 4: Let's be clear: this isn't about how Pandora stores passwords in their database. As investigation has shown, it is quite possible that Pandora doesn't use plaintext passwords server-side. (The only entity that could definitively answer that question is Pandora.) The issue being raised here centers on the fact that it is trivially easy to recover the plaintext form of the password stored *client-side*.

---

Edit 5: Pandora has now at least partially patched this; the password field now contains "__USE_EXISTING__" by default unless changed.

#security   #pandora
Shared publiclyView activity