UPDATE: Please check out latest version from my git repo: http://git.vpetkov.net/projects – project name: “pandora”

It seems that Pandora is not putting too much time or thought into how they provide and access music online through their website. I really hope they fix this since it’s irresponsible as far as the the DMCA is concerned. Each song is simply an encoded token, and it’s pulled down directly from, presumably, one of their proxy server. If you look at the stream while playing songs on pandora.com, you will notice something like this (ex: not real):

Some assumptions: the “version=4” is high quality or what used to be CD quality (192 kbps). The “lid=#####” is the “login id”, or your unique user number. The “token=…” is the actual song, encoded. By finding the host of these requests, and putting it all together, where the lid is completely optional, you will have a full request URL to a song.

Imagine putting it together like this: (example as a POC, like this)

Then having something that parses this “buffer”:

One way for them to fix this would be to session encode the requests. You should not be able to make requests that originate from outside of pandora.com directly to the servers. Also, the requests should be authenticated. As an addition, they could potentially be checked against what is “played” and controlled for streaming mechanisms. I really hope this fix this as soon as possible.

2 Thoughts on “Pandora Music Access-Vulnerability

  1. This isn’t new. They’ve changed a couple of things since, but yes. Isn’t it sad that it has been a problem since ~2006?

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation