The proper use of secure internet protocols is a subject you want major sites to take seriously. So you can imagine how disappointed Google software engineer Eric Lawrence was when he discovered Pandora was not only inconsistent with its use of HTTP over TLS (better known as HTTPS) but its service department didn’t seem to care.
A couple of weeks ago while testing a new browser extension Lawrence, who uses Pandora frequently, noticed that Pandora serves its pages over regular HTTP, even when you’re logged in. As of 13 March this remains the case.
The developer “decided to click around a bit” and discovered that Pandora was happy to deliver billing information over a seemingly unsecured connection:
While I have mixed feelings about network snoopers knowing what I’m listening to, I definitely get uncomfortable with the idea that they can see my email address, birth year, zip code, and more … Okay, so that’s not good. My full name, zip code, eight digits of my credit card number, and its expiration are all on display in a page delivered over an unprotected channel. Any network snooper can steal this information, or prompt me for more information as if it were the legitimate site.
On closer inspection, Lawrence found the data was being handled by a secure connection, however, the way it was accomplished brazenly bypassed the same origin policy:
The first problem here is that this is JSONP data, which means that the unsecure calling page has access to all of the data—JSONP is being used to circumvent same-origin-policy. So, while a network-based attacker can’t read my data directly off the wire, he can simply rewrite the HTTP page itself to leak the data.
Obviously, Lawrence got in contact with Pandora’s support, after failing to find a direct way to reach the security team. The good news is he received a reply, the bad news is it not only contained outdated information, but gave the impression the company had little interest in investigating the matter.
Fortunately, this tale does have a happy ending — of sorts. Three days after Lawrence published his post, Pandora started geting its act together:
Pandora has enabled a security alias and registered it with the HackerOne Directory. They’ve also said “our engineering department is and has been actively working on transitioning http://www.pandora.com to HTTPS only.”
Still, the site shouldn’t have to have been prompted by Lawrence in the first place — considering Pandora handles financial data, properly implemented HTTPS should be mandatory.
Using HTTPS properly [Text/Plain]