A vulnerability note was issued by CERT/CC for the Pandora music streaming service's Apple iOS app for failing to properly validate SSL certificates provided by an HTTPS connection.
The flaw, CVE-2017-3194, if exploited could enable someone to conduct a man-in-the-middle attack. Essentially, the vulnerability allows an attacker operating on the same network as the iOS device to modify traffic that would normally be protected by HTTPS. However, with this protective layer not in place secure information, including login credentials can be leaked or extracted.
There is no known solution for this issue, but the vulnerability note suggests Pandora users access the service directly through the service's website and not the app in order to avoid the SSL validation issue.
Pandora was notified of the situation on February 7.
