Pandora.com’s box

Recently I discovered and tuned to Pandora service. Its really easy and fun to use this online music provider.

Once you are registered you can choose the music you want to listen by creating “channel(s)”, each channel identified by artist or a song name. Selected channel will stream out music classified by Music Genome Project that similar to those you have chosen when you created the channel. On each of the songs you further decide whether you like it or not, which in turn will fine tune channel specifications.

I loved Pandora from a first minute I heard its music and the first thing I noticed was that I don’t get those annoying pauses anymore when one of my fellow colleagues decide to download something huge. This actually amazed me, first time I got streaming music of this quality without those creepy noises. Well, I had to check how they did it.

I fired up a sniffer, looking for the incoming traffic going to the Pandora’s player. I was pretty amazed with when I discovered that the player sends plain HTTP GET requests, to download the songs in mp3 format. This means that the player does not really stream the music, it downloads it and then play it.

Next step was to open Live HTTP headers Firefox plugin, to grab the GET requests that download these mp3s :evil: .

Well, because I am a person that wears the right colored underwear, I dropped a mail to support dudes at Pandora.com.

Recently we discovered a security flaw in the Pandora service your company provides.

Pandora’s flash player sends an HTTP GET request to retrieve music it plays in mp3 files. Those links are static and do not require any kind of authorization to retrieve the files. Sniffing network traffic it is possible to get those links, thus revealing the static location of the mp3 file.

The impact of this problem is that it allows users to store music locally and to share music with others (even non Pandora.com users) by sending / posting the links.

Looking forward to your response.
…..

The response was of the sorts of, a.e. the flaw is not actually a flaw, rather it is a known feature :mad: .

Thanks for the heads up. We’re aware of this issue. Actually, the URL will only work for a short period of time while the song downloads, so its impossible to post them for others later.
…..

I stated that the links are static, and the links grabbed when sending the notification are still looking valid to me. Should I convince the vendor that I’m right ? Naaw, i’ll just blog it ;) . So actually you can share songs too, not only the channels.

P.S. The URI of the GET request consist of a long “token” named field, that seems encrypted,base64 and URL encoded to me. Interesting if somebody invested time to decompile the Flash to see if its possible to download any of 300.000 songs directly. Who knows maybe they use Blowfish cipher with a static key ? :evil: .
Anyways if somebody did, please keep us informed.

Share
  • http://www.whiteacid.org WhiteAcid

    I’ll just download some of my scratched CDs then have a look at the flash player and such :)
    I’ll make a post if I find something decent.
    Oh, one thing that bugs me with the comments here is that the paragraph breaks are only one line, it’d be more reable in my opinion if they were two.

  • http://www.BeyondSecurity.com noam

    I a have also used Pandora for a few days, and found that you can get the music you like after about 10-20 adjustments of like/don’t like.

    From that point you can pretty much build your CD collection :)

  • http://www.techroot.org F-117

    I love LIVE http headers, its more easy than use a sniffer like Ethereal looking connections in 80.

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    If a site uses flash for something that major, you know there’s going to be trouble…

  • hunter

    I’ve been looking through this as I saw a spike in my network traffic when a new song started to play and then calmed down after a while. I’ve looked through the flash file and it at least says Blowfish in the source code. The download link (as you most likely has seen) is passed to the player in a XML document so the flash does no encryption on that part but all requests are encrypted. I’m not a flash guru (actually I don’t know ActionScript at all) but I’m slowly beginning to understand what this flash thingy does.

    And the reason for the use of MP3:s and not streaming seems to be that Flash doesn’t support streaming audio, only streaming video (and that only with an extra stream server from Macromedia). Not that I’m complaining, I’m hoping to see some kind of stand-alone player, that’d be great to have on my small linux server/media center

  • shadow

    I’m trying to write an alternative player for Pandora. I’m able to record the MP3s the player requests and rename them. But I’m not able to request songs from the server. I’m working on decrypting the XML-request but I had no luck, cause I’m not good in flash. If anybody has more informations than me, feel free to contact me here. I’ll come back and write my mail-adress if somebody is intrested in share informations.

  • hunter

    I have successfully recovered the blowfish subkeys from the flash file and used them in java to decrypt the requests. As far as I gathered there is some validation info that travels by HTTPS during the login sequence. I will look further into this and see what I can gather. As shadow, if anyone knows flash by heart and feels like helping out, drop a comment and I’ll give my mail.

    PS. Shadow, by using the sniffed traffic I have been able to duplicate the request and issuing a new getFragment, which gives you a new list of files, but this never works forever as some values changes, especially over sessions .DS

  • shadow

    Hi hunter. Can you mail me your source? Let’s share further information. Me mail-address is thunderchicken (at) gmx.net.

  • shadow

    Hi hunter. Not interested in sharing informations? For blowfish-decryption did you use the p and s-boxes from resources.output or is there an password? Did they use the standard blowfish algorithm or is there any modification?

  • http://antihero.com/mike m1ke
  • http://www.nuweb.co.uk FunShed.com

    thanks for this tip, useing the nice FF app, and flasget to get all the music i will ever need.

    I love this, as its super super fast.
    Ill soon code something, to get songs. Just need to figure out what the big hash is about. :( .

    curl rulez!

    Catch you guys sooN!…

  • http://localhost/dev/null/ Dimatter

    Maybe u notice that whenever u decompile the flash file – u get an error/app crash.

    the flash files are generated on request – which means they can easely put a session_id in the flash itself. it’s been a while since i tryed to crack the pandora’s box – I dont remember the name of the framework they used to create the whole thing. One thing is for sure – they sure didnt use Macromedia Flash to make the interface. The whole thing is generated through that framework.
    For those who decompiled – just find the comments in the source – that’s the comments of the framework they’re using.

    I’m good with AC/AC2 and flashcom but pandoras source looks awfull to me so I just droped it.

    dimatter at gmail dot com

  • zache

    Pandora is OpenLaszlos posterboy project and OpenLaszlo is xml->virtualmachine code generator. Flash VM is its main supported VM.

  • http://-- GoRide

    Shadow. Can you post your email. i like to see the alternate Pandora Player you did :)
    Im looking for something like this for a long time (tried to build one by my self…).

  • GoRide

    Shadow…you can contact me at:
    tidhar.nitzan at gmail.com

  • Faz

    Hi to All (sorry my english)
    Some one can explaine to me how can I record the songs with pandora?
    Using Live HTTP Header I use the url and can I download the mp3 file but without tag for title etc…

    Thanks

    Faz

  • GoRide

    Faz, How did you used the live http Header to collcet the song. when i used the url the server returned error.

  • Faz
  • MrBrdo

    Here’s a windows client:
    [url removed]

    i will post if there’s an update. report bugs here

  • GoRide

    MrBrdo – can you also post the source code?

  • http://www.BeyondSecurity.com Lev

    MrBrdo, sources will be warmly welcomed :)

  • MrBrdo

    Hey Lev. Where can i reach you (mail)?

    regards

  • http://www.BeyondSecurity.com Lev

    guiding5 at gmail

  • Chris Evans

    Is there an alternate location for the “removed” windows client URL or source? I’d like to get my teeth into a proper reverse engineering project.

  • MrBrdo

    why reverse engineer it?
    the new link is here, the old one has been removed due to various reasons + old bugs:
    http://rapidshare.de/files/20715728/Pandora_1_0b.rar.html

  • Chris

    Am I being thick for asking, but does this download as mp3 with nice filenames etc?

  • Chris

    Ok yes I was being think for not looking at the ini :D Cheers MrBrdo. Are you gonna activly maintain this anywhere?

  • MrBrdo

    well, i may decide to go for sourceforge, if i happen to release the source code, but not yet. for now i will probably just be posting links in case i update (but i think it’s pretty much finished)

    about the downloads, yeah i forgot about the ini. i removed the download functionality because it is *illegal* to download from pandora. i will remove the functionality from the ini in the next version.
    anyhow, any ideas how to host the download-enabled version without it being availible to the wide public (without pandora noticing it)? i wouldn’t want pandora to stop working because of it.

    regards

  • Chris

    Private mailing list for when you realease a new version? I’m happy to host any files etc you need.

  • MrBrdo

    thanks Chris, please tell me where i can reach you to discuss this. i think it will do.

    thank you

  • MrKishi

    Oh, great job MrBrdo!

    I’ve been trying to create a pandora player too, but I don’t know what those data posts are :S

    Humm, would you add me in msn so we can talk? :O
    mauriciokishi@gmail.com.

  • Chris

    MrBrdo – you can contact me at chrisduffer (at) gmail

  • pandoraRocks

    have you guys checked out whats going on over at hak5

    there is a pretty decent open source project going on in this thread

    http://www.hak5.org/forums/viewtopic.php?t=828&start=0&sid=8db588f5ac40011bcc74ea27dd5dca36

    there is a clever implemention using a home brewed http server written in java….

    i looked at the source some and also discovered some nice action with hooking into the last.fm site

  • GoRide

    Hi MrBrdo.
    Can You contact me at tidhar.nitzan (at) gmail ?
    Thanks…
    ^_^

  • http://pyrcast.com Pyrcast

    Hey our new software Pyrrha Podcaster allows users the ability to create mp3 files from their favorite Pandora.com radio stations communicating directly with their xml web services. Unfortunately I cannot divulge the specifics, but if their is enough interest we might can help point people in the right direction. The primary concern that we have with our approach is the possiblity of abuse.

    Thanks!
    http://pyrcast.com

  • Pingback: Anna Eileen Heckart

  • kraft101

    Hey MrBrdo,

    Nice app! But I have a proxy at work and I would need to modify something in your app in order to work. Could it be possible to have your source?
    kraft101@nospammail.net

    Thanks.

  • Just Me

    Just for curiosity, is there a free swf decompiler awailable? If so, what’s it’s name?

    And is the source of MrBrdo’s tool out anywhere?

  • MrBrdo

    hello all.

    no free swf decompilers as far as i know.. you’ll have to do it another way i guess ( ;) ). and what the hell is the deal with Pyrrha Podcaster? O_o
    The java thing just opens pandora in a seperate window.. It doesn’t get rid of Flash. That’s why i made my thing.
    oh, Just Me: the source is not out there.. why do you need it?

    regards

  • Just Me

    @MrBrdo:
    well, i’d like to look into it. Mainly for curiosity, but secondly for adding streaming funcionality. It would be real nice to just start a station on the linux server and listen to it on the media station.

    pm via jumberlag gmail com are welcome

  • Oskar

    Seem’s MrBrdo has vanished?!?

  • MrBrdo

    it seems as of now the program doesn’t work anymore.. they must have changed something O_o

  • MrBrdo

    I have changed the codes neccessary to make the program work again. I am not sure if i left something out, so it may happen that something will not work. Please tell me if you notice any bugs. Sorry for the delay but i was not able to do this sooner.

    URL http://rapidshare.de/files/24285694/Pandora_v6r1.rar.html

  • MrBrdo

    i am sorry i forgot to mention this
    EVERYONE that download the new version MUST type in the password again (one time) to make it work, since the password encryption in the ini file has been changed.

  • eli mizrahi

    there is no download botton in the new client version… can anyone help fix it???

  • Eremko

    @MrBrdo: just great win gui app … I like it, you definetly should do webpage on sourceforge or somewhere and publish this to the others … I also investigate about writing own pandora client but Im not so friendly with XML-RPC yet, please cen you send me your sources (mail below)? I would like to take a look, thx. zhorak at seznam.cz

  • MrBrdo

    @mizrahi: there is no download button on the new version because i don’t want pandora to think this app is bad. they don’t allow downloads from their site.. there is still download functionality in the app, but it is disabled and there is no way (for you) to enable it. i’m sorry, but none of us want to see pandora to close the site, and i don’t want to have problems because the program enables you to download music from their site.

    The program (wPandora) still enables you to listen to music from Pandora without flash, which means you will burn much less RAM and processor to listen to the songs (flash+IE needs 58MB RAM on my computer, but wPandora needs 8MB). That is the main thing i wanted to achieve with this program.

    I would like to give u guys a chance to download the music, but i don’t see any way without breaking Pandora’s policy.

    @Eremko: i am sorry but i will not make the source code public, because then it is not hard to add download functionality, and the code is written in KOL pascal, so not many could use it anyway.

  • irieb

    MrBrdo,

    I want to write a pandora player for my tivo and need to figure out how to authendicate and get the xml fragments.

    The app will not download the mp3s just pipe the streams to my tivo box.

    As a test I used the fragment I found in my cache – in theory it should work

    wishlist:
    1) select station
    2) play station
    3) skip song
    4) display song information / album art

    any suggestions would be appreciated

    please post info here or email me (irieb AT gmail)

    thanks….

  • irieb

    please send information to (irieb AT mac.com) intead – thanks!!!

  • MrBrdo

    I have corrected the client to work with the new version of Pandora. If there are some problems please let me know. http://rapidshare.de/files/26296695/Pandora_v7b1.rar.html

  • Wigmund

    very nice app. very tempted to have a go at building a XBMC client, I’m not sure the KOL Pascal source would be of much benefit to me, but notes on the general approach and whats involved would be a useful starting block… ;)

  • MrBrdo

    Wigmund that sounds very nice indeed. Leave your email and i will send you a description of exactly how the protocol works so you can start. I am going to vacations very soon now but i will try to send it to you some time after sunday.

  • irieb

    MrBrdo please copy me as well…

    thanks!!!

  • Wigmund

    Thanks MrBrdo, very much appreciated – email is mshire at nildram.co.uk

  • MrBrdo

    Wigmund: you should have gotten it by now.

    irieb: why do you need it?

  • ocomputerphreako

    MrBrdo,

    I’m trying to write my own client to stream pandora from a server in my lan to other computers and listen to it via iTunes. I’m having some problems encrypting the xmlrpc requests, if you could contact me at ocomputerphreak at gmail.com I’d appriciate it. thanks.

  • ocomputerphreako

    The email address in the previous post should be “ocomputerphreako” at gmail.com

  • http://geoff.plan8studios.com Geoff

    I’m also trying to write a pandora client. Any chance someone can share the protocol details with me as well? me4twad [at] gmail (dot) com

  • MrBrdo

    Geez, now everyone wants to write their own client O_o

  • MrBrdo

    I have decided to make a page with pandora clients that may be created in the future, and with the always-updated version of my client.
    http://www.mrbrdo.net/pandora/

  • irieb

    I want to write a client for my Tivo box – the server will be implemented in java.

    I need the protocal / methedology for requesting the xml fragments with the song info.

    thanks!!!

  • MrBrdo

    Gimme your e-mail and i may send it to you

  • irieb

    irieb AT mac

    thanx!!!

  • d0c

    Hi MrBodo,
    I’m currently writing a Winamp gen plugin to play pandora. Now that I got the basics/crypto stuff working by myself (it IS playing), I discover that you already did all the reverse-engineering stuff *g*.
    However I would like to add some advanced features (rating, station creation etc), and got some unknown parameters (getFragment args). Could you help me out with your specs/code?

    btw, I was thinking about writing a generic “pandora library” that does all the access to Pandora (login/stations/songs/etc) and provides a C interface, and your code could be a good starting point. What do you think?

    d0ccrazy (at) web (dot) de

    Thanks in advance, and nj with your client!
    d0c

  • nothingmn

    if MrBrado is still checking this..fire me a copy of your source or whatever to:

    nothingmn [at] yahoo [dot] com

    thanks.

  • daw

    It would be very nice if you could send me your source code. I’m using Linux and didn’t find a usable Pandora client yet (do you know one?), maybe I can migrate your player to Linux.
    My email: daw87 AT gmx DOT de

  • MrBrdo

    Guys Pandora introduced changes to their flash client. The Blowfish keys have somehow been obfuscated. If someone can break this and get the keys, please let me know, until then, my client is broken.

  • http://www.lino.cl Lino

    If we have access to your source code maybe it could be easiest. Can you release it?

  • MrBrdo

    I send it to the guys who i think can do something out of it..
    Anyway, d0c figured it out and sent me the keys.
    Here’s the new, REDESIGNED (yeah, finally) Pandora Client for Windows:
    http://www.mrbrdo.net/pandora/

  • 0150r

    I’ve been working on a program to capture the xml files to pick out the artists/song/album and download link..it works okay, but it relies on playing pandora in IE…which sucks. Would it be possible to take a look at your source? I’m looking to eventually make a pandora program for the xbox360 with the XNA studio and C#…something I can’t do with my current program.

    thekgbismine at aol dot com

  • http://www.shawnblog.com/ Shawn

    I’m glad I found this thread. I am interviewing Tim Westergren of Pandora for a podcast and these comments and this topic will form some of my questions for him.

  • MrBrdo

    Hello Shawn. Nice that you found some usefullness in our comments. Please post the link to the interview when it’s available :-)

    Thank you

  • Wert

    Hi MrBrdo

    I would love it if you could send me the source code
    for you pandora app, i am trying to make my own client and also implement a feacher to sent the curent playing artist and song to an irc client

  • Wert

    sorry forgot my e-mail
    it is cameroneross48 AT msn DOT com

  • irieb

    i am attempting to write an implementaion for my tivo – can you please me the source code

    cheers

    irieb AT mac.com

  • r3dr3draid3r

    After working on this pandora thing for a while I thought I would add a comment. I don’t know if many people know this but you can ethereal the pandora clients connection to get a long authentication string(The actual pandora login is difficult). If ethreal is running when you login in through the browser you can search the capture file for the string “token=”. When ethereal finds the packet you can right click and follow the TCP stream. This will give you the long login string. Then using a program of your choice(I use c#). You can write a HTTP post program and then post data to the URL in the packet. This will return to you an XML file with the next 4 songs that Pandora was going to send to the flash player. :) Now just automate the shit out of this and grab say 100000 of these files and you have the artist info and audio links for 400000 songs(not really, you get lots of repeats).
    I wrote an XML parser to enter the info into a MySql database. When you change the radio station from the pandora client it changes the songs you get. I have a client I wrote with an embedded windows media player which allows you to run queries against my database and then stream the songs from Pandora. If anyone has any protocol details they would like to share(such as the login details) I would be willing to talk. travis.taylor@ttu.edu

  • randome

    So any news on new pandora client?

  • MrBrdo

    Hey again. I did toy a little with the new blowfish keys, but they are obfuscated and it’s hard to find out. A few people also contacted me about the protocol details, but i can’t find the file anymore. So, IF ANYONE STILL HAS THE ZIP I SENT THEM please send it back to me, so i can relay it to other people that might need it.. I’m talking about the zip with pandora protocol details.

    Thanks, good luck all

  • download

    To MrBrdo: yes I still have a copy if you want it.

    I was wondering if anyone had noticed something odd.
    If the pandora swf is decompiled using sothink swf
    decompiler (even the new that’s supposed to support everything), it comes out with a few errors.
    ie: a bunch of the variables in the blowfish section come out
    as “var _loc3 = ++;” as far as I know, varname=++ is not a valid
    actionscript statement, especially not for a newly declared variable.
    Also, there are lines like this: “_loc2 = _loc2 ^ P[];” the only thing
    I can think of is that they somehow made a variable that has
    a null name so that it doesn’t show up in a decompile.