←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 1 comments | 27 May 21 10:28 UTC | HN request time: 0.229s | source
Show context
mavster ◴[27 May 21 13:50 UTC] No.27303085[source]
I'm just guessing, but...

"developer gets a great idea - let's push an update to the API as a GET request so we can cache this on the CDN... forgetting that the JWT token is potentially returned in the call. Now, whoever makes the call first gets their JWT token stored for everyone else to load instead when the API call is made."

Ta-da, Klarna.

replies(10): >>27303554 #>>27303645 #>>27303782 #>>27303857 #>>27303919 #>>27304192 #>>27304408 #>>27304728 #>>27305016 #>>27305863 #
1. miohtama ◴[27 May 21 14:27 UTC] No.27303554[source]
I expect something exactly like this happened. I had a similar bug long time ago. Apache was somehow incorrectly caching the request and the session cookie in the request ended up in a cache. But it happened only about 1/10,000th of the time so it was impossible to figure out the root cause.

However, one common source for this kind of bugs is to ”cache any URL ending .pdf as a static file” and then you are in fact serving logged in PDFs like customer invoices that come with the session cookie.

I think CloudFlare used to come with a default rule to treat .pdf as a static content. The responses were cached when you hit their ”cache the good stuff” checkbox.