![]() ![]() ![]() For what it’s worth, we stole a password off our own computer today using the hack but that probably doesn’t count. UPDATE: Pandora has responded saying a fix is in the works, but downplays the vulnerability by calling it a “hypothetical” scenario. We’ve reached out to Pandora to confirm whether it’s aware of the problem and what the plan is to address this. More importantly, it raises the question that if Pandora isn’t using best practices in protecting passwords on users’ computers, how are they being stored on Pandora’s own servers, then? If the passwords were also not protected using decent encryption on their end, then a larger-scale hack could put users’ data at greater risk. However, this could affect users who share computers, like at libraries, institutions, at work, or at Internet cafes. The consequences of this security vulnerability in the wild are likely to be minimal, because a hacker would need physical access to a computer. Users who simply close the browser or tab would still be affected. In addition, he says the technique he created, a proof-of-concept hack to steal the Pandora passwords, can also expose users’ IDs and email addresses associated with the Pandora website.īevand updated the page to say that Pandora has today partially addressed the issue by removing the password from local storage, but that’s only the case when the user explicitly logs off. Technical readers can follow the full thread on Hacker News, but the brief explanation is that the passwords are simply being obfuscated (meaning, hidden) using a single encryption key which is the same for everybody, according to Bevand’s tests seen here. In Pandora’s case, not only are passwords being stored locally, they’re not properly encrypted. It’s also only possible in modern web browsers which support HTML5 (like the current versions of Chrome, IE and Safari now do). In fact, it’s not very common to save passwords in local storage at all. ![]() That being said, it is generally not considered a best practice to store a website’s password on a user’s computer, and if a website is going to do so, then the password should at least be properly encrypted. This is not something that users should immediately freak out about, but it may be worthwhile to change your Pandora password if you access Pandora’s website on a shared computer or at an Internet cafe, especially if that password is one you use across the web for other sites of a more personal and private nature. It was soon after picked up by Hacker News.Ī developer, Marc Bevand, then demonstrated how easy it would be steal a user’s Pandora password off their computer using a simple hack he created in response to the information. While that’s a step up from the earlier, more concerning situation, it’s still a risk.ĭetails of the issue were first posted to Google+ by Amber Yust, a software engineer at Google. However, it appears that the passwords aren’t being stored in cleartext, but are encrypted using a single static encryption key which is the same for all users. Specifically, those passwords are being stored in the HTML5 local storage area for the website. Initially, word was that Pandora was storing cleartext passwords (meaning unencrypted) directly on users’ hard drives, which would have been a major concern. It’s not a password leak or an attack, however, but there’s concern that passwords aren’t being well secured on users’ computers. If it is determined that the media player is defective, Mood Media will "advance replace" a new player and send you a Return Shipping label for you to return your defective player to Mood Media.įor more information on Mood Media's warranty, please refer to our Terms of Service.There are reports circulating related to the security of users’ Pandora passwords. In many cases player issues can be resolved over the phone. If you believe your media player is defective, please contact Mood Media Customer Service at 80 to troubleshoot your player. Please note that the warranty does not cover: any equipment other than the Media Player damage to the Media Player caused by the negligent or willful acts of you, your employees, agents or business invitees theft vandalism water (or other liquids) fire lightning wind snow acts of God or power surges. Mood Media will replace defective media players at no cost during this 12-month period. This 12-month period begins on the date the player is shipped. Mood Media offers a 12-month warranty on all new media players for the Pandora for Business service. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |