←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 2 comments | 27 May 21 10:28 UTC | HN request time: 0.528s | source
Show context
mavster ◴[27 May 21 13:50 UTC] No.27303085[source]
I'm just guessing, but...

"developer gets a great idea - let's push an update to the API as a GET request so we can cache this on the CDN... forgetting that the JWT token is potentially returned in the call. Now, whoever makes the call first gets their JWT token stored for everyone else to load instead when the API call is made."

Ta-da, Klarna.

replies(10): >>27303554 #>>27303645 #>>27303782 #>>27303857 #>>27303919 #>>27304192 #>>27304408 #>>27304728 #>>27305016 #>>27305863 #
AtNightWeCode ◴[27 May 21 16:36 UTC] No.27305016[source]
I doubt that Klarna, a bank, have OSI layer 7 proxies in the cloud, with TLS termination in their CDN solution, on AWS. I would assume this traffic is outside of that. But then again, I know they wasted 25M+ Euros on a garbage NodeJS platform. They also created an own cloud once. Yes, it is in the trash bin.
replies(4): >>27305909 #>>27306271 #>>27308203 #>>27308438 #
jordanbeiber ◴[27 May 21 20:56 UTC] No.27308438[source]
They didn’t “create” their own cloud - they wanted to host their own hardware using an api layer to provision resources. That stuff was not built in-house.

Manhandled in-house though...

replies(1): >>27312532 #
AtNightWeCode ◴[28 May 21 07:05 UTC] No.27312532[source]
Sebastian used the word cloud when I met him.
replies(3): >>27313253 #>>27313352 #>>27318064 #
1. Hikikomori ◴[28 May 21 09:14 UTC] No.27313253[source]
There was a Klarna cloud yes. At the time it was unclear if finance/banks could utilise public cloud services (regulatory requirements), so it made sense in that way, but creating your own cloud is something few orgs are capable of.
replies(1): >>27313675 #
2. AtNightWeCode ◴[28 May 21 10:22 UTC] No.27313675[source]
It is not that uncommon among finance tech companies in Sweden to have some in house cloud. They often already have the knowledge to run servers with virtualization, logging, backups, redundancy and so on. Adding a service layer to that by using Kubernetes for instance is doable.