Klarna users are being signed in to random accounts

(twitter.com)

475 points danielstocks | 1 comments | 27 May 21 10:28 UTC | HN request time: 0.252s | source

Show context

ipsin ◴[27 May 21 13:54 UTC] No.27303148[source]▶

What are the ways you can implement "log in as anyone accidentally"?

I'm imagining it was a case of an SQL-based password check where "TRUE OR" got added to the WHERE clause, and the code takes the first result instead of expecting only 0 or 1 row.

Are there other easy ways to do this?

replies(3): >>27303178 #>>27303237 #>>27303253 #

ladon86 ◴[27 May 21 14:02 UTC] No.27303253[source]▶

>>27303148 #

1) Caching: a cache is used in front of the API for things like product listings, it uses a pattern match like /api/products/*, and caches routes which match. Someone accidentally configures it to cache /api/*, and thus login responses from /api/session return another recent user session, potentially including the cookie such that subsequent requests are authenticated as that user.

2) Mentioned elsewhere in this thread, a variable with global scope within an application server. This is very possible in node.js, which uses a long-running single thread - if you have a function like handleRequest(), you might inadvertently write to a global variable outside it, and that variable will persist across requests from different users. I've seen this exact bug in a PR - luckily we caught it before production, but if it had slipped through code review and integration tests and actually shipped, the result would have been exactly like the one in the tweet.

replies(2): >>27303498 #>>27303576 #

1. formerly_proven ◴[27 May 21 14:23 UTC] No.27303498[source]▶

>>27303253 #

It can be a bug in the application server as well, I recall uwsgi having issues where the request (or response, not sure) dictionaries were recycled between requests, and some corner cases didn't clear those between handling different requests, or something to that tune.

↑