Vulnerability Management

Pandora Apple app vulnerable to MITM attacks


A vulnerability note was issued by CERT/CC for the Pandora music streaming service's Apple iOS app for failing to properly validate SSL certificates provided by an HTTPS connection.

The flaw, CVE-2017-3194, if exploited could enable someone to conduct a man-in-the-middle attack. Essentially, the vulnerability allows an attacker operating on the same network as the iOS device to modify traffic that would normally be protected by HTTPS. However, with this protective layer not in place secure information, including login credentials can be leaked or extracted.

There is no known solution for this issue, but the vulnerability note suggests Pandora users access the service directly through the service's website and not the app in order to avoid the SSL validation issue.

Pandora was notified of the situation on February 7.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.