UPDATE: Please check out latest version from my git repo: http://git.vpetkov.net/projects – project name: “pandora”
It seems that Pandora is not putting too much time or thought into how they provide and access music online through their website. I really hope they fix this since it’s irresponsible as far as the the DMCA is concerned. Each song is simply an encoded token, and it’s pulled down directly from, presumably, one of their proxy server. If you look at the stream while playing songs on pandora.com, you will notice something like this (ex: not real):
|
1 2 3 4 5 6 7 8 9 |
access/197185343492159781? version=4&lid=######&token=Rqcw8pKLwxByRVLM6SynyT%2Fw0yGw2F3WW8efWPzuBSsaQTUKz obvQ3A8Q0Z0uDm1FiUpSiWMqH5CUwW%2B51WJs7IhT9O%85DLlKtVZuYO55LpLuaeooiYTIFvdeCyHaM i%2Fq8%2FClLJuDEipmt6%2FMR8QvwebIF8rt2Hlcqwj70Stc7E2TeB8021eG60OV%2B%2FCbVMhL3Sh 0qdGSLnHK55xabtdZSoES7HYGPPG7wLjNurP%2FTGjqx%2Bz9%afdsjx2jdhg%2FMZX3A7zx8DlNEPy5 ahaM8z3VjjfDGhWTElBIzveYigBdLq7j9t7mUHjtwEJZ3yHKhHNapEtmb8ZSOIwbAUfqjMiJtk7WXVDq qBZZ7 |
Some assumptions: the “version=4” is high quality or what used to be CD quality (192 kbps). The “lid=#####” is the “login id”, or your unique user number. The “token=…” is the actual song, encoded. By finding the host of these requests, and putting it all together, where the lid is completely optional, you will have a full request URL to a song.
Imagine putting it together like this: (example as a POC, like this)
|
1 2 3 4 5 |
#!/bin/bash tshark -i en0 -l -T fields -E separator="," -e http.host -e http.request.uri -R "http.request.uri contains token and http.host contains pandora" | ./worker.pl |
Then having something that parses this “buffer”:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
#!/usr/bin/perl use Tie::File; use WWW::Mechanize; my $tokensdb = '.tokens.db'; my $songsdb = '.songs'; unless(-e $tokensdb) { `touch $tokensdb`; } unless(-d $songsdb){ mkdir $songsdb or die; } tie our @tokens, 'Tie::File', $tokensdb; my $mech = WWW::Mechanize->new(); $mech->timeout(5); $mech->quiet(1); $mech->agent_alias( 'Mac Safari' ); while (<STDIN>) { my ($host, $token) = split(/,/, $_); $token =~ s/&lid=(\d*)//g; chomp($token); my $url = "http://$host"."$token"; if ( grep { "$_" eq "$token"} @tokens ) { print "Token Already Seen...\n"; } else { push(@tokens, $token); print ">> New Token Added!\n"; $file = time; # Code removed in order to prevent Abuse! } } |
One way for them to fix this would be to session encode the requests. You should not be able to make requests that originate from outside of pandora.com directly to the servers. Also, the requests should be authenticated. As an addition, they could potentially be checked against what is “played” and controlled for streaming mechanisms. I really hope this fix this as soon as possible.
Securiteam covered this in 2006: http://blogs.securiteam.com/index.php/archives/174
This isn’t new. They’ve changed a couple of things since, but yes. Isn’t it sad that it has been a problem since ~2006?