Hacker News new | comments | show | ask | jobs | submit login

> Update 04:49 UTC: I am done reverse-engineering Pandora's javascript code!

Good job!

> This is not a huge flaw, but they should certainly not store sensitive data like the user's password in the local storage.

Well, if it was properly encrypted, I'd disagree with you, but since it isn't, I'm not going to quibble.

Out of curiosity, how do you know the key is static, and not per account? Did you test with two accounts?

Yup, I tested with 2 different accounts, using 2 different browsers, even from 2 different IPs. The static keys seem to never change, they are served from the same .js file.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact