←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 3 comments | 27 May 21 10:28 UTC | HN request time: 0.723s | source
Show context
ipsin ◴[27 May 21 13:54 UTC] No.27303148[source]
What are the ways you can implement "log in as anyone accidentally"?

I'm imagining it was a case of an SQL-based password check where "TRUE OR" got added to the WHERE clause, and the code takes the first result instead of expecting only 0 or 1 row.

Are there other easy ways to do this?

replies(3): >>27303178 #>>27303237 #>>27303253 #
1. bellyfullofbac ◴[27 May 21 14:01 UTC] No.27303237[source]
It's not a web system but Mac OS messed it up once: https://objective-see.com/blog/blog_0x24.html

Caching could be an issue, if they added a cache for a microservice call of /get/user?id=$USER and ignored the id parameter, /get/user?id=ipsin fetches data for the user ipsin, the system sees the next call /get/user?id=bellyfullofbac and thinks, "Wait, I have the results of /get/user in cache" and returns the data for ipsin again...

replies(1): >>27303283 #
2. chrisandchris ◴[27 May 21 14:05 UTC] No.27303283[source]
Besides having the HTTP verb in the URL (GET -> /get/), why would you put the id in the query? Why not just use GET /user/1234 instead of duplicating things by using GET /get/user?id=1234 . What does GET /get/user then even return, all users, no user, ...?

Edit: typo

replies(1): >>27303850 #
3. bellyfullofbac ◴[27 May 21 14:52 UTC] No.27303850[source]
It's just an example...