←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 2 comments | 27 May 21 10:28 UTC | HN request time: 0.41s | source
Show context
diveanon ◴[27 May 21 10:59 UTC] No.27301440[source]
If you rely on your application layer to enforce data privacy instead of enforcing it in your storage layer its just a matter of time until you have an issue like this.

It says a lot about the security of their api and development culture that they are even struggling with something like this. This should be caught in the first architecture review session.

replies(5): >>27301492 #>>27301550 #>>27301568 #>>27301587 #>>27301735 #
1. jablan ◴[27 May 21 11:16 UTC] No.27301587[source]
How would any measures at storage layer prevent, for example, issues in caching?
replies(1): >>27301849 #
2. mewpmewp2 ◴[27 May 21 11:46 UTC] No.27301849[source]
And how can one enforce it on a storage layer? There must be something in the application that determines user identity, which either threading, flawed logic, bug or caching (most likely) can mess up. In which case storage layer gets this identity information from application layer.