←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 3 comments | 27 May 21 10:28 UTC | HN request time: 0.207s | source
1. tedd4u ◴[27 May 21 14:43 UTC] No.27303744[source]
At a large site I used to work for circa 2011, before everyone had gone fully HTTPS, we received similar panicked reports from users: "I'm logged in as someone else!" Turns out an ISP in the Philippines decided to just ignore `cache-control` and `vary` headers and forcibly started caching logged-in responses along with auth cookies. Bad times. Made it clear to me why the whole web would have to go HTTPS.
replies(2): >>27309515 #>>27312210 #
2. NullPrefix ◴[27 May 21 22:43 UTC] No.27309515[source]
Yeah but what about the saved traffic? Think of the poor routers that have to do all this transferring job.
3. Scoundreller ◴[28 May 21 06:04 UTC] No.27312210[source]
Reminds me of a primitive web filter at work that blocked me from something. So I look at the URL, add an “s” to http and voila. I think they MITM everything now.