←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 2 comments | 27 May 21 10:28 UTC | HN request time: 0s | source
Show context
mavster ◴[27 May 21 13:50 UTC] No.27303085[source]
I'm just guessing, but...

"developer gets a great idea - let's push an update to the API as a GET request so we can cache this on the CDN... forgetting that the JWT token is potentially returned in the call. Now, whoever makes the call first gets their JWT token stored for everyone else to load instead when the API call is made."

Ta-da, Klarna.

replies(10): >>27303554 #>>27303645 #>>27303782 #>>27303857 #>>27303919 #>>27304192 #>>27304408 #>>27304728 #>>27305016 #>>27305863 #
AtNightWeCode ◴[27 May 21 16:36 UTC] No.27305016[source]
I doubt that Klarna, a bank, have OSI layer 7 proxies in the cloud, with TLS termination in their CDN solution, on AWS. I would assume this traffic is outside of that. But then again, I know they wasted 25M+ Euros on a garbage NodeJS platform. They also created an own cloud once. Yes, it is in the trash bin.
replies(4): >>27305909 #>>27306271 #>>27308203 #>>27308438 #
jordanbeiber ◴[27 May 21 20:56 UTC] No.27308438[source]
They didn’t “create” their own cloud - they wanted to host their own hardware using an api layer to provision resources. That stuff was not built in-house.

Manhandled in-house though...

replies(1): >>27312532 #
AtNightWeCode ◴[28 May 21 07:05 UTC] No.27312532[source]
Sebastian used the word cloud when I met him.
replies(3): >>27313253 #>>27313352 #>>27318064 #
1. piva00 ◴[28 May 21 09:36 UTC] No.27313352[source]
Klarna Cloud was a deployment of Cloudstack or Openstack (my memory fails me now) for internal usage, when there was still a lot of discussions around cloud lock-in, it was not an in-house built cloud platform.
replies(1): >>27313726 #
2. AtNightWeCode ◴[28 May 21 10:31 UTC] No.27313726[source]
I did not think they actually wrote the code. But I think the ambition was higher. Pretty much every CTO in this country have hubris and think their services will be sold to third parties.