1) No matter what they do, if someone walks up to a computer that you're logged in to, they have a very good shot at getting your plaintext password (there's a distinct chance it's in a memory buffer somewhere). With a minor bit of effort, they can get access to any future password you use. This is a basic principle of security for anything other than MAC style security systems (and even then...)
2) I think there is a very real risk there, but of course, unless they use HSTS (and therefore always HTTPS) everywhere, there is a risk of this. Even if they use HSTS (which isn't broadly supported in browsers yet), almost no-one checks TLS certificates for man-in-the-middle attacks. In short: the man-in-the-middle attack risk is always a risk unless the user takes extraordinary efforts. They could do more to mitigate it, but it'd undoubtedly have some seriously negative user experience consequences. It seems like a very high bar to hold Pandora to given the nature of their service. If you are going to hold them to that standard, you might want to start with a more significant target like say.... the Apple Store.
Re #1: There's still a matter of degree, however - this takes zero technical knowledge and zero external tools, works on every platform that Pandora runs on, and requires maybe 5 seconds of time.
Re #2: Again, it's a difference of degree. Invalid TLS certs will at least give a browser warning that a user isn't used to seeing (in modern browsers), cluing them in that something might be up. Sure, some users might bypass it anyway, but there's at least some tip-off. Furthermore, there's no reason why the password needs to be in the DOM past the login page, which can easily be served over full HTTPS with no user experience impact. Yes, that can still fall prey to session hijacking if you don't use HTTPS for the rest of the site, but session hijacking doesn't give you passwords that you can use to go break into other sites.
#1: You know what also requires zero technical knowledge and zero external tools and requires maybe 5 seconds of my time? Typing in a new password for the account and clicking "save".
#2: It needn't be an invalid TLS cert. It could be a valid TLS cert pointing to another domain. The browser provides no warning and you only notice it if the check the domain is different from the one you expect. Watch out for domains that are only different because they use a funky character that looks like the one you are expecting.
#1 - yes, which is also a problem! But is actually less serious, because that doesn't give you knowledge of the old password which could be shared with another site. (Obviously in the ideal case it wouldn't be, but let's face it, it is for the vast majority of users.)
#2 - which is something that browser vendors are working to address (e.g. by displaying non-ascii characters in slightly different ways, e.g. punycode, and by blacklisting domains used for phishing, etc).
#1: It might be a problem, but it is also a clear indication to even a naive user that if they leave their browser logged in to Pandora, their account be compromised.
#2: Right. So there is a possibility that some day in the future, if you are really careful and check your TLS certificate every time you do something with your password, Pandora will be exposing you to a huge gaping hole, that you would otherwise only be exposed to if you used the Apple Store, Amazon, Ebay....
#1: How many times is too much when replying with #1 and #2?
#2: Answer: this many times.
So anyway, everyone change your Pandora password and be done with it. You can't buy anything with a Pandora account except to be able to listen to Pandora. That is not worth stealing, even if it is a great service. I pay for it, and I'm not going to stop because of Apple. They may have the library, but they don't have the years of experience that Pandora has in its market. I do think Apple will own the high-end home entertainment market eventually.
No, the gist of my argument is that this isn't an additional security risk. Worrying about this is tantamount to looking at the lock on your front door, which itself is made out of plywood with a hollow center, and of course is attached to a house with several standard windows, not to mention sliding glass doors, one of which you tend to leave open all the time --and then screaming, "OH MY GOD I CAN'T BELIEVE THEY DID THIS! THIS LOCK COULD BE CRACKED BY A GUY WITH A HAND SAW IN 5 MINUTES!!! THEY REALLY SHOULD GET A STRONGER LOCK!"
Not to step into your flamefest, but point #2 is already solved by using TACK (https://news.ycombinator.com/item?id=4010711) and Chrome has other partial workarounds in production.
2) I think there is a very real risk there, but of course, unless they use HSTS (and therefore always HTTPS) everywhere, there is a risk of this. Even if they use HSTS (which isn't broadly supported in browsers yet), almost no-one checks TLS certificates for man-in-the-middle attacks. In short: the man-in-the-middle attack risk is always a risk unless the user takes extraordinary efforts. They could do more to mitigate it, but it'd undoubtedly have some seriously negative user experience consequences. It seems like a very high bar to hold Pandora to given the nature of their service. If you are going to hold them to that standard, you might want to start with a more significant target like say.... the Apple Store.