(twitter.com)

475 points danielstocks | 1 comments | 27 May 21 10:28 UTC | HN request time: 0.218s | source

Show context

mavster ◴[27 May 21 13:50 UTC] No.27303085[source]▶

I'm just guessing, but...

"developer gets a great idea - let's push an update to the API as a GET request so we can cache this on the CDN... forgetting that the JWT token is potentially returned in the call. Now, whoever makes the call first gets their JWT token stored for everyone else to load instead when the API call is made."

Ta-da, Klarna.

replies(10): >>27303554 #>>27303645 #>>27303782 #>>27303857 #>>27303919 #>>27304192 #>>27304408 #>>27304728 #>>27305016 #>>27305863 #

iratewizard ◴[27 May 21 14:59 UTC] No.27303919[source]▶

>>27303085 #

To get around this, one could include the request IP address in the JWT and required a refresh token to be sent when the user's IP switches.

replies(2): >>27304007 #>>27304896 #

secureleaf ◴[27 May 21 15:07 UTC] No.27304007[source]▶

>>27303919 #

This is not a safe method for protecting against this type of cache vulnerability. IP addresses are regularly shared by multiple users, especially when behind NAT (even mobile ISPs are doing carrier grade NAT these days).

replies(1): >>27307762 #

1. iratewizard ◴[27 May 21 20:15 UTC] No.27307762[source]▶

>>27304007 #

So there should be no fail safe since it can't be guaranteed to work in every scenario.

↑

Klarna users are being signed in to random accounts