←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 7 comments | 27 May 21 10:28 UTC | HN request time: 0.001s | source | bottom
Show context
paxys ◴[27 May 21 15:09 UTC] No.27304033[source]
Having at least authenticated sections of your site use HTTPS was standard well before 2011.
replies(5): >>27304324 #>>27304427 #>>27305411 #>>27307048 #>>27307466 #
1. oxplot ◴[27 May 21 15:35 UTC] No.27304324[source]
That only protects the user's password. The auth cookie will be sent in all subsequent requests in plain text.

EDIT: that's how firesheep (https://en.wikipedia.org/wiki/Firesheep) hijacked sessions for e.g.

replies(1): >>27304417 #
2. nly ◴[27 May 21 15:43 UTC] No.27304417[source]
That's not true. Cookies can have a 'secure' attribute which tells the browser to send them only over TLS
replies(3): >>27304684 #>>27304721 #>>27304916 #
3. eli ◴[27 May 21 16:08 UTC] No.27304684[source]
in 2011?
replies(1): >>27304902 #
4. chc ◴[27 May 21 16:12 UTC] No.27304721[source]
But that just makes your login not work if the rest of your site is HTTP, doesn't it?
replies(1): >>27304915 #
5. shkkmo ◴[27 May 21 16:26 UTC] No.27304902{3}[source]
Yes
6. shkkmo ◴[27 May 21 16:27 UTC] No.27304915{3}[source]
You should not show authenticated pages without HTTPS
7. oxplot ◴[27 May 21 16:27 UTC] No.27304916[source]
A secure cookie would be of no use for a site whose only secure page is the login page, which is what the parent post I replied to was talking about.