

Pandorhack: Stealing Pandora Passwords  - mrb
http://pandorhack.zorinaq.com/

======
olalonde
To be fair, this is really a tiny issue compared to them storing plaintext
passwords server side as they were initially accused of doing. If you have
access to a browser's local storage, you can also probably install a browser
extension that key logs any password inputs. Or you can view all the browser's
saved passwords. etc.

~~~
wizard_2
I disagree. Putting aside saved passwords which I admit is a big aside. The
browser's usual attack vector is login or session cookies. It will grant users
access to the account but it doesn't usually leak any information in itself.
However this leaks the, email, username, password, and a myriad of other data.
This is compounded by the risk of leaking data in the event of a javascript
injection. Usually this would allow the js to steal login cookies or do
actions on the site (hopefully anything 'secure' requires an additional
password input), but now they can whisk the usernames and passwords off site
and elevates the breach to be almost as bad as a database leak.

~~~
cbsmith
Again: If there is JavaScript injection, they can capture the password at the
time you enter it anyway. Once you have JavaScript injection, almost any site
will cough up all that data without issue. Heck, they can do a full-on man in
the middle attack if they so desire.

It doesn't appear that merely cloning a login session cookie would get you
access to the password, as it does not appear that the server even knows what
it is. In fact, this approach they've used seems like it would allow for
password challenges whenever Pandora wanted to, which makes session stealing
far less effective.

------
droithomme
Every week a story like this comes out. And a lot with really large companies
that have huge amounts of funding and are certainly capable of hiring people
who know what they are doing.

As fun as they are to read about, I don't care so much about the actual
attacks. How to do it wrong is well known.

I am interested in what causes this problem in general. What is causing so
many companies to have such abysmal security practices even though we know how
to do it better? Can it be fixed?

If the industry does not police this, the government will have to regulate us
to ensure compliance with more reasonable practices. That means auditing of
our code by independent agencies, paying the fees to do so, suffering the
inevitable cases where code is stolen by corrupt auditors, and the foot in the
legal door for future and expanding governmental code regulation and auditing
at all levels, not just web facing. It would be much better if we could solve
this problem ourselves as a responsible industry and avoid the necessity for
invasive regulation.

------
DigitalSea
It shocks me that people keep downplaying the issue here. Storing a password
in a visitors browser especially in a place where it can be exploited is lazy
not only from a security perspective but if a users original password can be
exposed as well as their email address a lot of people use the same password
for everything (not everyone is a security conscious developer) especially
email. This is just lazy programming and security at its finest, so glad I
don't use Pandora.

------
measlyweasel
Oh noes! you mean my hacker mom will be able to log onto my pandora account
and listen to my Yes/Supertramp mix station!!??

Ok, admittedly, bad form on pandora's part but seems pretty low impact to me.

~~~
matthuggins
I strongly disagree. People use the same password on multiple sites all the
time. If someone shares a password between Pandora and Gmail or PayPal, for
example, you now have access to their email or their money.

~~~
cbsmith
Honestly, if you share your PayPal password with other sites, you are already
asking for it pretty badly. I'd say the same thing about your Google password,
but if you use two-factor authentication is isn't quite so bad (and in that
case Pandora isn't a concern).

The reality is though, what Pandora is doing prevents the password from going
over the 'net at all, which arguably protects it from being stolen _better_.
For someone to get access to it, they'd need access to your machine, at which
point... just how secure do you think your PayPal and Google accounts
(assuming no two-factor auth) will be?

The main increased risk factor if you shared your PayPal and Pandora passwords
would be that if someone had read-only access to your filesystem, they could
still get your PayPal password (which wouldn't otherwise be the case). This
would be a potentially big exposure if you have unencrypted backups (though
why backup HTML5 storage or browser data in plaintext to an untrusted target
if you want security?) or for whatever reason you let other people read your
browser profile directory.

Still doesn't feel like a big deal.

------
xyzzy123
Interesting though. We all knew HTML5 local storage bugs would happen, but
this is the first one I've seen in the wild.

~~~
taf2
how is this a bug in localStorage? Isn't he just reading the values from the
browser when viewing pandora.com ?

~~~
cbsmith
I don't think he meant bugs _in_ localStorage, but rather bugs in code that
uses localStorage.

~~~
xyzzy123
Yes, I meant bugs arising from poor use of localStorage.

