Klarna users are being signed in to random accounts

Klarna is no stranger to criminally lax attitude towards data privacy and security. In Finland, they implemented a checkout flow based only on your SSN (personal ID number). By simply entering someone else&#x27;s SSN (which is not hard to guess&#x2F;pry) you can reveal anyone&#x27;s official home address.<p>Further, they enable a &quot;pay later by invoice&quot; checkout flow, again by just knowing someone&#x27;s SSN. Scammers use this to order items from web stores to automated pick-up lockers with someone&#x27;s else&#x27;s SSN for payment info. The victim usually only becomes aware about this activity when they start getting debt collection notices for unpaid invoices from multiple stores for thousands and thousands of euros. The debt collection process in Finland is famously unfair and harsh towards the supposed &quot;debtor&quot; (here: victim of fraud).<p>Unless the &quot;debtor&quot; (victim) actively opposes each and every individual collection, the cases will eventually end up in court with summary judgement. This will ruin the victim&#x27;s credit rating, which has devastating results for just about all aspects of life. People are known to have collapsed under the burden of all this and ended up taking their own life.<p>Klarna&#x27;s response to all this is that they want convenient checkout experience and some fraud is unavoidable. Although there are excellent technical means available to strongly identify users in Finland, they add a minor layer of inconvenience compared to just typing in your SSN. This is OK for Klarna since they give exactly zero fucks about security as long as they can make a little buck from it.

At a large site I used to work for circa 2011, before everyone had gone fully HTTPS, we received similar panicked reports from users: &quot;I&#x27;m logged in as someone else!&quot; Turns out an ISP in the Philippines decided to just ignore `cache-control` and `vary` headers and forcibly started caching logged-in responses along with auth cookies. Bad times. Made it clear to me why the whole web would have to go HTTPS.

I worked in a project over 10 years ago where something very similar happened!<p>We had built and authentication service that, among other things, was used by a SyncML service that was used back in the day of feature phones to syncs contacts etc. You can imagine that getting someone else&#x27;s contacts on your phone isn&#x27;t exactly ideal. This was how we came to know about the problem, from customers getting other customers data!<p>The error was caused by a CDN switch. Our instructions to the the CDN team responsible for the switch was &quot;Make sure the CDN honors our cache headers, if our HTTP responses say something can be cached do so, if they say that the response should not be cached then don&#x27;t&quot;. We were in at least three meetings where we repeated this mantra.<p>I believe that the CDN team thought that they had setup the CDN correctly but they had missed an edge case. The CDN was in fact setup to cache even uncacheable responses, and served those, _only_ when it could not reach our servers.<p>So if there was a traffic spike and the CDN determined that our authentication servers were unreachable it would fall back to serving data that should never have been cached in the first place! Happily returning tokens to random users that had authenticated just before the traffic spike...

Klarna is a weird company. Last I interacted with them it was clear that they are completely designed to operate within Sweden, but have no idea of how to deal with the outside world. Maybe that have changed.<p>I talked to Klarna maybe 10 years ago. One of the things I wanted to know was how they dealt with abuse in Sweden, given you just need the social security number of a person and then you can do purchase as that person, and Swedish SSNs are not secret.<p>The friendly Klarna rep. had no idea what I meant, as you could only get stuff delivered to the address associated with the SSN. Based on how that would be abused in Denmark we suggested ordering a box of random sex toys to any random person in Sweden. The only answer I got was &quot;Why would anyone do that?&quot;<p>It took less than six month for Klarna to start asking us to block addresses, because they had no way to prevent abuse.

I&#x27;m just guessing, but...<p>&quot;developer gets a great idea - let&#x27;s push an update to the API as a GET request so we can cache this on the CDN... forgetting that the JWT token is potentially returned in the call. Now, whoever makes the call first gets their JWT token stored for everyone else to load instead when the API call is made.&quot;<p>Ta-da, Klarna.

Ha, one time I was debugging an issue that only happened to a particular user. Lazy as I was, I hardcoded his auth token in the code &quot;just to test&quot;. Having found the bug quickly, I was excited and did not realize I checked-in the auth token too. Bypassed reviews, pushed to prod and then reports started coming in &quot;Hey, users are saying they are all logged in to this random guy&#x27;s account&quot;.<p>Lessons learned the hard way ;)

Here&#x27;s their official statement:<p><a href="https:&#x2F;&#x2F;www.klarna.com&#x2F;uk&#x2F;blog&#x2F;written-statement-on-app-bug&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.klarna.com&#x2F;uk&#x2F;blog&#x2F;written-statement-on-app-bug&#x2F;</a><p>Although I dunno about <i>&quot;According to GDPR standards, only non-sensitive data was exposed.&quot;</i> since in the twitter thread someone said:<p><i>This is definitely not a test environment. I was called by someone who was logged in to my account and saw all my personal data including bank details, Klarna card etc.</i><p>And while I&#x27;m told the bank details are obfuscated (I don&#x27;t use Klarna, I dunno), I would consider the phone number to be a clear breach of my privacy under GDPR.<p>Although, the twitter account that said that has 0 followers, so maybe its not true. I dunno. I know someone who works for Klarna and he told me: <i>&quot;Full investigation will take time. There&#x27;s a LOT of engineers working on this. Only confirmation I have currently is that the firstname was visible.&quot;</i><p>Going by the screenshots, first name and account balance. Doesn&#x27;t seem that bad from a GDPR point of view. Still bad, of course, but not suuuper sensitive.<p>EDIT: Nevermind: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;esraefe&#x2F;status&#x2F;1397843949985931265" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;esraefe&#x2F;status&#x2F;1397843949985931265</a>

As a software engineer, I hate when I add a check for something &quot;that will never happen&quot; but that if happens is awful, and people complain.<p>A classic example: you need to get a user from a session, check against a database, and continue if they&#x27;re signed in.<p>Then I add a simple if databaseUser.Username != form.Username and people will say &quot;if that happens we&#x27;ve something worse wrong&quot;. Geez, something might be wrong and such double checking might provide to be useful.<p>On a smaller scale, bits flip due to cosmic rays and so on. Of course, there must be a limit where we stop, but people are used to actively avoid doing such &quot;silly assertions&quot; even for important steps.<p>¯\_(ツ)_&#x2F;¯

&quot;The payment giant Klarna, which has 87 million customers globally, currently has major technical problems. Users of the company&#x27;s app saw other customers&#x27; payments and personal information, before it was shut down completely.<p>The supervisory authority Finansinspektionen, FI, has asked Klarna to explain what happened.&quot;<p>A future, fascinating post-mortem I hope!

Once you logged in once Klarna stores your credentials and then presents you one click buying inside ads in unrelated sites (well Klarna are not doing the advertisements but allow such links).<p>You can then accidentally click the wrong thing and buy without any further confirmation. At least in Sweden you can ask them to request digital ID confirmation for each buy.<p>With the current problem maybe I can buy using someone else&#x27;s name...

Klarna has posted a statement here <a href="https:&#x2F;&#x2F;www.klarna.com&#x2F;uk&#x2F;blog&#x2F;written-statement-on-app-bug&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.klarna.com&#x2F;uk&#x2F;blog&#x2F;written-statement-on-app-bug&#x2F;</a>

Reminds me of what happened to Steam a few years ago <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=dkSslseq9Y8" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=dkSslseq9Y8</a>

I had once contact with Klarna. It required me eight weeks to teach until they accepted the truth - I didn&#x27;t owed them a cent. Just one of the usual startups around outsourcing, minimum wage and avoiding actual work.<p>Lesson 1: If someone want to sell you something and doesn&#x27;t want make the bookkeeping itself, avoid them.<p>Lesson 2: In doubt? Cash only.

Klarna says they are “experiencing technical disturbances due to technical errors”.<p>Sounds like a poltergeist.

Klarna wants to be Facebook of payment. When I buy and pay with Klarna, they get the list of items and on Klarna&#x27;s app and homepage I see pictures of whatever it is I bought.<p>I&#x27;m not sure what to think about this. My first thought is &quot;Is this really legal?&quot;.

Lots of times when I’ve been buying things in e-shops I’ve been offered to pay using Klarna as a payment broker.<p>But doing so has always been more confusing for me compared to “regular” payments with a credit card anywhere else, and has on overall been a negative experience for me.<p>I really don’t understand why anyone would prefer to use them at all.<p>What am I missing? Can anyone help me understand?

I&#x27;ve had this happen, although not on a scale as this, when implementing caching and disregarding authentication as a parameter that varies the cache...

MS Exchange outlook web interface sometimes showed me completely unrelated mailbox content upon login: folders, list of messages, read status, subjects, etc. Trying to open email never worked though and the whole problem goes away after page refresh.

Caching and Vary headers can be tricky to get right

Probably caching set incorrectly. happened with steam years ago - <a href="https:&#x2F;&#x2F;www.bleepingcomputer.com&#x2F;news&#x2F;security&#x2F;steam-caching-error-leads-to-account-disclosure&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.bleepingcomputer.com&#x2F;news&#x2F;security&#x2F;steam-caching...</a>

Time for a blameless postmortem<p><a href="https:&#x2F;&#x2F;www.atlassian.com&#x2F;incident-management&#x2F;postmortem&#x2F;blameless" rel="nofollow">https:&#x2F;&#x2F;www.atlassian.com&#x2F;incident-management&#x2F;postmortem&#x2F;bla...</a><p>Or perhaps not<p><a href="https:&#x2F;&#x2F;techbeacon.com&#x2F;app-dev-testing&#x2F;blameless-postmortems-dont-work-heres-what-does" rel="nofollow">https:&#x2F;&#x2F;techbeacon.com&#x2F;app-dev-testing&#x2F;blameless-postmortems...</a>

from this event... game idea:<p>create a social media site - allow postings, conversations, threads, etc.<p>Every quarter (or some other period), there is &quot;reconning&quot;. You are placed into a complete stranger&#x27;s account, and now you have to continue it for a week (or some other short period).<p>Whoever can maintain the quality of the account, in the direction as the original owner, wins a banana (or kumquat, something good but not expensive for anyone).<p>After reconning period, owner returns and judges. None-participation is default no-win.

Their German counterpart, Sofortüberweisung, didn&#x27;t properly blacklist test credentials given out by banks e.g. to developers in the beginning, so people could simply use those and pay for goods and services with fake accounts.<p>For me there are so many red flags with all these services, as they basically &quot;steal&quot; your credentials to log into your online banking. And while they claim that they only use the credentials to make transfers they could as well look at all my other account data. I really wonder how such a scheme can be legal and how banks can allow this, as they normally tell people to never give their credentials to anyone. The situation of course recently improved with the mandated 2FA for logins and transfers, but still there are so many attack vectors in this model that it boggles my mind how it can still exist.

Kristel and Sonya seem to have the same due payments

I suspect this might be request threading&#x2F;confusion[0] issue similar to the one GitHub experienced a while back. This would explain why seemingly random user data is being returned.<p>0: <a href="https:&#x2F;&#x2F;github.blog&#x2F;2021-03-18-how-we-found-and-fixed-a-rare-race-condition-in-our-session-handling&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.blog&#x2F;2021-03-18-how-we-found-and-fixed-a-rare...</a>

My email includes a common Swedish first name so I regularly have people mistakenly use my email address for Klarna orders. What’s most annoying&#x2F;troubling is that, at least last time I checked, they don’t verify an address before sending invoices, etc. so I end up with other people’s order info in my inbox. I finally started unsubscribing from notifications for orders that weren’t mine.

Totally anecdotal, and probably unrelated, I interviewed for Klarna a few years ago.<p>Mid process, they sent me some sort of timed bizarre IQ test that the recruiter claims EVERYONE who works there has to take.<p>That&#x27;s when I knew that kind of working culture wasn&#x27;t for me.

I think this would make quite an interesting exercise for whatever it is one works on oneself; that is, what&#x27;s the minimum, most innocuous patch that causes this behaviour?<p>I bet it&#x27;s not as much as people railing against it would like to think.<p>I&#x27;m partly thinking of this because I fixed a (way less critical) bug today that boiled down to a (x - y) * z = 0 query that should&#x27;ve just been (x - y) = 0. But it was hidden by the whole expression being named, and that then seeming correct, it not being obvious that `z` could be 0 (or was involved at all) and as a result unwanted results would be included where x != y.<p>Probably the most obvious one is different IDs - have two fk columns that sound a bit similar and it&#x27;s easy to come a cropper, getting &#x27;random&#x27; records that correspond to a given ID but that&#x27;s for the wrong table...

I’m pretty sure this (or something like it) happens at least once to every major site. The stuff of nightmares.

We still haven’t got our money back for a purchase paid via Klarna. Apparently they wired the money to another bank account but under my partner’s name.<p>After 3 support calls and several emails, we just gave up. Fortunately it was just €12.<p>This was so frustrating that we now avoid paying with Klarna whenever possible.

What are the ways you can implement &quot;log in as anyone accidentally&quot;?<p>I&#x27;m imagining it was a case of an SQL-based password check where &quot;TRUE OR&quot; got added to the WHERE clause, and the code takes the first result instead of expecting <i>only</i> 0 or 1 row.<p>Are there other easy ways to do this?

They also had a snafu with marketing emails late last year [1] - not a great look for a company handling bank&#x2F;payments.<p>[1] <a href="https:&#x2F;&#x2F;www.bbc.co.uk&#x2F;news&#x2F;business-54521820" rel="nofollow">https:&#x2F;&#x2F;www.bbc.co.uk&#x2F;news&#x2F;business-54521820</a>

Will be interesting to see what the problem is here. From what I have seen in real life my top guesses are. Some dependency on static variables in code. Reversed proxy with incorrect cache rules that ignores headers or some parameter.

you have to wonder why they decided to stay up. Surely, if you have a leak this bad, you pull the plug until you can fix it.

Their iOS app shows “Down for maintenance” :)

There was that time that Dropbox let you log in to any account with any password, too.<p>I&#x27;ve never run a line of Dropbox code on any machine I own since that day. Even if you have no tests whatsoever on your app, you should have some basic smoke tests on your auth system.

Cache invalidation issue. Classic

I can remember something similar happening on Facebook back in 2013-2014 (when I was a kid). I went on this app called &#x27;Video Chat Rounds&#x27; and when I left the app, I got signed in to a random Facebook account.

Is that a really surprise to you guys? Just look for the old klarna news, this is not the first time and won’t be the last time. There is no security on internet, just get used to it, if you use klarna.

Other discussion that is rapidly sinking from the front page:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=27301311" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=27301311</a>

Dupe <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=27301311" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=27301311</a>

Does Klarna still do the IQ test as part of their hiring process?

It will be an interesting post mortem if they make it public.

If you rely on your application layer to enforce data privacy instead of enforcing it in your storage layer its just a matter of time until you have an issue like this.<p>It says a lot about the security of their api and development culture that they are even struggling with something like this. This should be caught in the first architecture review session.

The new guy that stores user information in the servlet. I have seen this before.

Reminds me of this GitHub incident: <a href="https:&#x2F;&#x2F;github.blog&#x2F;2021-03-18-how-we-found-and-fixed-a-rare-race-condition-in-our-session-handling&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.blog&#x2F;2021-03-18-how-we-found-and-fixed-a-rare...</a>

I&#x27;ve seen this happen when Cloudflare caching is misconfigured.

Context in global variables

Translation:<p>Major technical breakdown at Klarna when customers saw other people&#x27;s data - The Swedish Financial Supervisory Authority (FI) has contacted the company<p>Payment giant Klarna, which has 87 million customers globally, is currently experiencing major technical problems. Users of the company&#x27;s app saw other customers&#x27; payments and personal data, before it was shut down completely. The supervisory authority Finansinspektionen, FI, has asked Klarna to explain what happened.<p>In its app, Klarna has major technical problems. It means that users were logged into other customers&#x27; accounts and thereby see sensitive data such as their payment and purchase history and postal address. Users were also able to see part of the bank details linked to Klarna, but not the full account number.<p>One of Di&#x27;s journalists accessed an account belonging to &quot;Elisabeth&quot;. When the app was reloaded, another customer&#x27;s login became visible.<p>When customers logged in with their own bank ID, they accessed other people&#x27;s accounts. Each time they refreshed the page on the app, they brought up the details of a new, seemingly random user. It is unclear whether customers have been able to shop with other people&#x27;s money.<p>Klarna had a total of 87 million consumers worldwide at the end of 2020, but it&#x27;s unclear how many of those have an account on the company&#x27;s app. The technical breakdown also extends beyond Sweden&#x27;s borders, with outraged reactions pouring in on Twitter from Klarna users in various countries.<p>Klarna has now closed the app, citing a service outage. The company&#x27;s press officer Niklas Gillström will return to Di after a while with a written comment.<p>&quot;We are currently experiencing disruptions in our systems caused by technical problems. We are doing our utmost to restore the system and our services to full capacity and apologize for any inconvenience this may cause our customers. We have currently blocked all logins to the app until we are sure the problem has been fully resolved.&quot;<p>Di continues to seek the company for follow-up questions on whether the technical problems are due to an internal breakdown or external influence, how seriously the company views the sharing of personal data between users and whether customers may now have accidentally traded with other people&#x27;s money. Klarna has asked for a response.<p>The Swedish Financial Supervisory Authority, FI, which among other things is the supervisory authority for banks, states that it has been informed of the situation.<p>&quot;We have contacted Klarna and asked them for an explanation of what has happened,&quot; says Karin Lundberg, head of the business area Banking, to Di.<p>At the moment, FI has no further comments, she adds.<p>Di also seeks the Privacy Protection Authority, IMY, formerly known as the Data Inspectorate, for comment.<p>IMY has the right to fine companies up to 4 percent of their global annual turnover for serious violations. In addition, Klarna could face civil litigation, not least in the US where it has 15 million users.<p>(Translated with www.DeepL.com&#x2F;Translator)

I m sure it s not random but somehow systematic

Looks like a JWT oopsie

Time to GDPR my account on klarna then.

Free advertising

ahh thats why im struggling to sign-in

So a maximum gdpr fine of ~$48M?

The Klarna effect?

Just nu svettas det mer än det regnar hos Klarna i Stockholm.

Having at least authenticated sections of your site use HTTPS was standard well before 2011.

&gt; <i>Hear hear, I used Klarna (not by choice)</i><p>It was by choice. You weren&#x27;t born with an account.<p>Not taking personal responsibility for the rise of the ubiquity of these terrible online services (WhatsApp users, I&#x27;m looking at you) is a huge part of the problem. Pretending that you didn&#x27;t opt-in is a lie you&#x27;ve told yourself; you shouldn&#x27;t propagate that lie to others in society.

Huh, from the headline I was thinking it was intentional! Nothing but marketing fluff in the newsfeed yet, still waiting on an article that&#x27;s not walled in Swedish(?).

Junior dev was facing a dilemma.<p>Before pushing to production please finish this code and choose the id you want to use:<p>&quot;select * from users where id = ?&quot;<p>&gt; user_id<p>&gt; profile_id<p>&gt; user_profile_id<p>&gt; profile_user_id<p>&gt; id<p>&gt; rand()

Interesting that all the screenshots have a (typically) female name, and the reporter seems female. Could be chance of course, but a quite low likelihood if the sampling is truly random... Can’t help thinking what kind of bug could cause that. :)

I find the default Twitter response by the Klarna social media account really annoying. The issue is not a system disturbance. The issue is clearly in the whole implementation of the system itself, code which was written by developers and where something really stupid has been implemented and where security was not taken into account at all because an issue like this could have been prevented at so many layers and yet it happened.

I am really really interested in knowing the root cause. I am really concerned by agile, and start-up hipster culture creeping into critical infrastructure companies.<p>There are so many patterns(event driven, CQRS) in recent microservices architecture, which are gaining popularity and people have been using them without realizing the cons and the need for them.