Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

To be fair, this is really a tiny issue compared to them storing plaintext passwords server side as they were initially accused of doing. If you have access to a browser's local storage, you can also probably install a browser extension that key logs any password inputs. Or you can view all the browser's saved passwords. etc.


I disagree. Putting aside saved passwords which I admit is a big aside. The browser's usual attack vector is login or session cookies. It will grant users access to the account but it doesn't usually leak any information in itself. However this leaks the, email, username, password, and a myriad of other data. This is compounded by the risk of leaking data in the event of a javascript injection. Usually this would allow the js to steal login cookies or do actions on the site (hopefully anything 'secure' requires an additional password input), but now they can whisk the usernames and passwords off site and elevates the breach to be almost as bad as a database leak.


Again: If there is JavaScript injection, they can capture the password at the time you enter it anyway. Once you have JavaScript injection, almost any site will cough up all that data without issue. Heck, they can do a full-on man in the middle attack if they so desire.

It doesn't appear that merely cloning a login session cookie would get you access to the password, as it does not appear that the server even knows what it is. In fact, this approach they've used seems like it would allow for password challenges whenever Pandora wanted to, which makes session stealing far less effective.


I agree with you. That said, it is a possible vector they should patch up, so it shouldn't be ignored by any means. Its just minor enough I dont see why any of us should care.


I hope you never click 'save password' in Pidgin, or about a thousand different local apps. There's a 'vector' there too!


I know you're being funny, but for everyone else here's their spiel on saving your passwords locally: https://developer.pidgin.im/wiki/PlainTextPasswords

The default and most secure setting is to not save passwords.


> The default and most secure setting is to not save passwords.

While true from a systems vantage point, it isn't really true once you bring in the human factors. It just isn't reasonable to think people will type in distinct and secure passwords for each of their IM accounts each time they start up their client. It's far more reasonable to have a password manager which manages which applications have access to which passwords, and which stores the passwords all protected by a master password (ideally with two factor authentication).




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: