Recently I discovered and tuned to Pandora service. Its really easy and fun to use this online music provider.
Once you are registered you can choose the music you want to listen by creating “channel(s)”, each channel identified by artist or a song name. Selected channel will stream out music classified by Music Genome Project that similar to those you have chosen when you created the channel. On each of the songs you further decide whether you like it or not, which in turn will fine tune channel specifications.
I loved Pandora from a first minute I heard its music and the first thing I noticed was that I don’t get those annoying pauses anymore when one of my fellow colleagues decide to download something huge. This actually amazed me, first time I got streaming music of this quality without those creepy noises. Well, I had to check how they did it.
I fired up a sniffer, looking for the incoming traffic going to the Pandora’s player. I was pretty amazed with when I discovered that the player sends plain HTTP GET requests, to download the songs in mp3 format. This means that the player does not really stream the music, it downloads it and then play it.
Next step was to open Live HTTP headers Firefox plugin, to grab the GET requests that download these mp3s .
Well, because I am a person that wears the right colored underwear, I dropped a mail to support dudes at Pandora.com.
Recently we discovered a security flaw in the Pandora service your company provides.
Pandora’s flash player sends an HTTP GET request to retrieve music it plays in mp3 files. Those links are static and do not require any kind of authorization to retrieve the files. Sniffing network traffic it is possible to get those links, thus revealing the static location of the mp3 file.
The impact of this problem is that it allows users to store music locally and to share music with others (even non Pandora.com users) by sending / posting the links.
Looking forward to your response.
The response was of the sorts of, a.e. the flaw is not actually a flaw, rather it is a known feature .
Thanks for the heads up. We’re aware of this issue. Actually, the URL will only work for a short period of time while the song downloads, so its impossible to post them for others later.
I stated that the links are static, and the links grabbed when sending the notification are still looking valid to me. Should I convince the vendor that I’m right ? Naaw, i’ll just blog it . So actually you can share songs too, not only the channels.
P.S. The URI of the GET request consist of a long “token” named field, that seems encrypted,base64 and URL encoded to me. Interesting if somebody invested time to decompile the Flash to see if its possible to download any of 300.000 songs directly. Who knows maybe they use Blowfish cipher with a static key ? .
Anyways if somebody did, please keep us informed.