Hacker Newsnew | comments | show | ask | jobs | submitlogin

> Update 04:49 UTC: I am done reverse-engineering Pandora's javascript code!

Good job!

> This is not a huge flaw, but they should certainly not store sensitive data like the user's password in the local storage.

Well, if it was properly encrypted, I'd disagree with you, but since it isn't, I'm not going to quibble.

Out of curiosity, how do you know the key is static, and not per account? Did you test with two accounts?

Yup, I tested with 2 different accounts, using 2 different browsers, even from 2 different IPs. The static keys seem to never change, they are served from the same .js file.


Applications are open for YC Summer 2015

Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact