←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 2 comments | 27 May 21 10:28 UTC | HN request time: 0s | source
Show context
diveanon ◴[27 May 21 10:59 UTC] No.27301440[source]
If you rely on your application layer to enforce data privacy instead of enforcing it in your storage layer its just a matter of time until you have an issue like this.

It says a lot about the security of their api and development culture that they are even struggling with something like this. This should be caught in the first architecture review session.

replies(5): >>27301492 #>>27301550 #>>27301568 #>>27301587 #>>27301735 #
1. corroclaro ◴[27 May 21 11:13 UTC] No.27301568[source]
Cached data in middle layers can get even the safest of row-level secured databases.

I agree in general that you need to enforce things at the storage layer.

replies(1): >>27302835 #
2. diveanon ◴[27 May 21 13:31 UTC] No.27302835[source]
You're right, and cache policy issues can be really hard to debug.

As a rule I don't cache personal information for this reason.

Out of curiosity do you have any knowledge on GDPR's stance on caching PI?