(twitter.com)

475 points danielstocks | 1 comments | 27 May 21 10:28 UTC | HN request time: 0.217s | source

Show context

ipsin ◴[27 May 21 13:54 UTC] No.27303148[source]▶

What are the ways you can implement "log in as anyone accidentally"?

I'm imagining it was a case of an SQL-based password check where "TRUE OR" got added to the WHERE clause, and the code takes the first result instead of expecting only 0 or 1 row.

Are there other easy ways to do this?

replies(3): >>27303178 #>>27303237 #>>27303253 #

1. nrmitchi ◴[27 May 21 13:57 UTC] No.27303178[source]▶

>>27303148 #

From a quick glimpse on twitter, people couldn't make changes to any of the accounts they were seeing.

This points in the direction of this being a caching bug; you request your homepage, and get the homepage of whichever user was placed in the cache last.

Most of the time in these situations it's not an application-code issue (per-se), as much as a "shared global state" issue.

↑

Klarna users are being signed in to random accounts