(twitter.com)

475 points danielstocks | 1 comments | 27 May 21 10:28 UTC | HN request time: 0s | source

Show context

diveanon ◴[27 May 21 10:59 UTC] No.27301440[source]▶

If you rely on your application layer to enforce data privacy instead of enforcing it in your storage layer its just a matter of time until you have an issue like this.

It says a lot about the security of their api and development culture that they are even struggling with something like this. This should be caught in the first architecture review session.

replies(5): >>27301492 #>>27301550 #>>27301568 #>>27301587 #>>27301735 #

corroclaro ◴[27 May 21 11:13 UTC] No.27301568[source]▶

>>27301440 #

Cached data in middle layers can get even the safest of row-level secured databases.

I agree in general that you need to enforce things at the storage layer.

replies(1): >>27302835 #

1. diveanon ◴[27 May 21 13:31 UTC] No.27302835[source]▶

>>27301568 #

You're right, and cache policy issues can be really hard to debug.

As a rule I don't cache personal information for this reason.

Out of curiosity do you have any knowledge on GDPR's stance on caching PI?

↑

Klarna users are being signed in to random accounts