Klarna users are being signed in to random accounts

(twitter.com)

475 points danielstocks | 2 comments | 27 May 21 10:28 UTC | HN request time: 0.436s | source

Show context

mavster ◴[27 May 21 13:50 UTC] No.27303085[source]▶

I'm just guessing, but...

"developer gets a great idea - let's push an update to the API as a GET request so we can cache this on the CDN... forgetting that the JWT token is potentially returned in the call. Now, whoever makes the call first gets their JWT token stored for everyone else to load instead when the API call is made."

Ta-da, Klarna.

replies(10): >>27303554 #>>27303645 #>>27303782 #>>27303857 #>>27303919 #>>27304192 #>>27304408 #>>27304728 #>>27305016 #>>27305863 #

akamia ◴[27 May 21 16:12 UTC] No.27304728[source]▶

>>27303085 #

I worked with a team that owned a service that resizes images. An engineer was assigned a task to add support for auto rotating images. His solution involved saving the image to a file and then using a library to handle the rotation. He used a hardcoded value for the file name. In a local environment where requests are sparse this looked fine to him and other engineers on the team missed it in code reviews. It wasn't until it went out to prod that he realized the error in this. Users started seeing other users' images because the file's content was constantly being overwritten.

When you test features like this or caching a response with a JWT it can be very easy to default to the happy path or ignore the impact of a large volume of concurrent users.

replies(1): >>27306320 #

auggierose ◴[27 May 21 18:22 UTC] No.27306320[source]▶

>>27304728 #

"An engineer was assigned"

Nope. That definitely wasn't an engineer.

replies(4): >>27306737 #>>27307372 #>>27307563 #>>27313027 #

1. _vertigo ◴[27 May 21 19:49 UTC] No.27307372[source]▶

>>27306320 #

No true Scottish engineer would have made that error!

replies(1): >>27308285 #

2. auggierose ◴[27 May 21 20:47 UTC] No.27308285[source]▶

>>27307372 (TP) #

:-)

↑