←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 7 comments | 27 May 21 10:28 UTC | HN request time: 0.45s | source | bottom
1. K0nserv ◴[27 May 21 11:01 UTC] No.27301456[source]
I suspect this might be request threading/confusion[0] issue similar to the one GitHub experienced a while back. This would explain why seemingly random user data is being returned.

0: https://github.blog/2021-03-18-how-we-found-and-fixed-a-rare...

replies(2): >>27301479 #>>27301557 #
2. toxik ◴[27 May 21 11:04 UTC] No.27301479[source]
We can only speculate, but what baffles me is that it happens for something so private, and for a company that is so rich. Do they not audit their code? Do they not risk assess these things? "Ah, storing user credentials in thread local storage, that sounds sane and bug-proof" said no auditor, ever.
replies(1): >>27301671 #
3. corroclaro ◴[27 May 21 11:12 UTC] No.27301557[source]
IIRC, Klarna is mostly written in Erlang, Scala and some parts in Clojure.

If someone should be aware of thread-local storage and its implication it ought to be them.

replies(3): >>27301582 #>>27301808 #>>27303224 #
4. K0nserv ◴[27 May 21 11:16 UTC] No.27301582[source]
I was under the impression that they had switched to Java more in recent years
5. ◴[27 May 21 11:25 UTC] No.27301671[source]
6. def_true_false ◴[27 May 21 11:41 UTC] No.27301808[source]
Using trendy tech doesn't solve much by itself. Especially if you can't (or don't) compete with FAANG on compensation.
7. sidebits ◴[27 May 21 14:01 UTC] No.27303224[source]
This has changed many years ago.