Most active commenters
  • AtNightWeCode(4)
  • jordanbeiber(3)

←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 12 comments | 27 May 21 10:28 UTC | HN request time: 0s | source | bottom
Show context
mavster ◴[27 May 21 13:50 UTC] No.27303085[source]
I'm just guessing, but...

"developer gets a great idea - let's push an update to the API as a GET request so we can cache this on the CDN... forgetting that the JWT token is potentially returned in the call. Now, whoever makes the call first gets their JWT token stored for everyone else to load instead when the API call is made."

Ta-da, Klarna.

replies(10): >>27303554 #>>27303645 #>>27303782 #>>27303857 #>>27303919 #>>27304192 #>>27304408 #>>27304728 #>>27305016 #>>27305863 #
1. AtNightWeCode ◴[27 May 21 16:36 UTC] No.27305016[source]
I doubt that Klarna, a bank, have OSI layer 7 proxies in the cloud, with TLS termination in their CDN solution, on AWS. I would assume this traffic is outside of that. But then again, I know they wasted 25M+ Euros on a garbage NodeJS platform. They also created an own cloud once. Yes, it is in the trash bin.
replies(4): >>27305909 #>>27306271 #>>27308203 #>>27308438 #
2. piva00 ◴[27 May 21 17:47 UTC] No.27305909[source]
What makes you doubt that?
3. darthrupert ◴[27 May 21 18:17 UTC] No.27306271[source]
Surprisingly many IT companies tried to create their own clouds, or at least their own kubernetes.
replies(1): >>27308482 #
4. mekkkkkk ◴[27 May 21 20:42 UTC] No.27308203[source]
I'd actually bet against you on that one. They are still stuck with one foot in the startup mindset.
5. jordanbeiber ◴[27 May 21 20:56 UTC] No.27308438[source]
They didn’t “create” their own cloud - they wanted to host their own hardware using an api layer to provision resources. That stuff was not built in-house.

Manhandled in-house though...

replies(1): >>27312532 #
6. jordanbeiber ◴[27 May 21 21:00 UTC] No.27308482[source]
Surprisingly many have saved boatloads of time automating processes pertaining to the tasks at hand. So, yeah, sound reasonable. :)
7. AtNightWeCode ◴[28 May 21 07:05 UTC] No.27312532[source]
Sebastian used the word cloud when I met him.
replies(3): >>27313253 #>>27313352 #>>27318064 #
8. Hikikomori ◴[28 May 21 09:14 UTC] No.27313253{3}[source]
There was a Klarna cloud yes. At the time it was unclear if finance/banks could utilise public cloud services (regulatory requirements), so it made sense in that way, but creating your own cloud is something few orgs are capable of.
replies(1): >>27313675 #
9. piva00 ◴[28 May 21 09:36 UTC] No.27313352{3}[source]
Klarna Cloud was a deployment of Cloudstack or Openstack (my memory fails me now) for internal usage, when there was still a lot of discussions around cloud lock-in, it was not an in-house built cloud platform.
replies(1): >>27313726 #
10. AtNightWeCode ◴[28 May 21 10:22 UTC] No.27313675{4}[source]
It is not that uncommon among finance tech companies in Sweden to have some in house cloud. They often already have the knowledge to run servers with virtualization, logging, backups, redundancy and so on. Adding a service layer to that by using Kubernetes for instance is doable.
11. AtNightWeCode ◴[28 May 21 10:31 UTC] No.27313726{4}[source]
I did not think they actually wrote the code. But I think the ambition was higher. Pretty much every CTO in this country have hubris and think their services will be sold to third parties.
12. jordanbeiber ◴[28 May 21 17:18 UTC] No.27318064{3}[source]
Yeah, I actually took part in setting it up with them. It was CloudStack. API layer in front of hypervisors.

Such is the cloud software... :) Cloud, besides APIs, i.e managing hardware at scale was not really what they did.

They did roll 1000s of vms per week through it in ci/cd flows though.

As such it did what it was supposed to do - docker/containers was not a thing at that point in time, and I remember thinking it was pretty awesome.

To many nifty engineers, with long fingers, for their own good though. You need to be strict with automations if you want to keep something like that running reliably over time.