←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 1 comments | 27 May 21 10:28 UTC | HN request time: 0.204s | source
Show context
dustinmoris ◴[27 May 21 10:47 UTC] No.27301350[source]
I find the default Twitter response by the Klarna social media account really annoying. The issue is not a system disturbance. The issue is clearly in the whole implementation of the system itself, code which was written by developers and where something really stupid has been implemented and where security was not taken into account at all because an issue like this could have been prevented at so many layers and yet it happened.
replies(2): >>27301593 #>>27302352 #
useerup ◴[27 May 21 12:43 UTC] No.27302352[source]
I've seen something like this happen because of a race issue during login. Basically the developer(s) had refactored something and were not aware that a global variable was being captured by a closure used for auth.

This meant that whenever two users signed in at the exact same time, there was a non-negligible chance that they swapped accounts during the flow.

It was actually not that easy to spot in the code. Sometimes what looks really, really stupid on the surface may in fact have a complicated and not-so-stupid explanation, often involving multiple developers and modernizing legacy code.

If it is a race condition, it can be incredibly hard to find during test.

Even if it is a stupid mistake, like e.g. not marking session cookies as secure and private, it does not mean that all of the rest of the code is bonkers.

replies(1): >>27304142 #
bagacrap ◴[27 May 21 15:17 UTC] No.27304142[source]
use of a global variable seems pretty stupid in fact, and easy to spot
replies(1): >>27313273 #
1. useerup ◴[28 May 21 09:19 UTC] No.27313273[source]
> and easy to spot

Not always. Like if you initialize middleware by using a "lambda" (closure), and you from within that closure creates a new closure.

It means that you need to be aware of the context the outer closure is used in. If it is only instantiated once during initialization, it's free variables are in essence "hidden" global variables. Not easy to spot.