Klarna Vulnerability Allowed 90 000 Users to See the Account Details of Other Customers
The Company Says that a Human Error Caused the Flaw and Not an External Breach of their Systems.
The mobile banking service Klarna recently suffered a serious security issue that enabled users of its app to see the accounts of other customers as well as their stored information when they logged in.
The buy-now-pay-later company stated that the vulnerability which allowed its customers to access each other’s information happened because of a human error, not because of an external breach of their systems.
Klarna Bank AB, commonly referred to as Klarna, is a Swedish fintech company that provides online financial services such as payments for online storefronts, direct payments, and post-purchase payments.
Yesterday, users announced that when they logged into the Klarna mobile app, they were displayed the account details for other customers instead of seeing their own accounts.
@Klarna @AskKlarna has a major security issue on their hands this morning!!!! Every sign in is a different persons details 🤦♀️🤦♀️ pic.twitter.com/0JsTGcGIgE
— Kerrie Stewart (@KezStew) May 27, 2021
Once news of the problem started being widely reported, the organization disabled its mobile app for several hours and when customers tried to log in, they saw a message which read “Sorry, the Klarna app is currently down for maintenance”.
Klarna declares that a recent update led to the technical issue that exposed the data of 0.1%, or approximately 90,000, users.
In a statement about the mobile app bug, the company declared:
This is why we are sad and frustrated to inform you of a self-inflicted incident, that for 31 min affected up to 0.1%, approximately 90 000, of our users. The bug led to random user data being exposed to the wrong user when accessing our user interfaces.
The mobile banking service mentioned that the access to data has been completely random and not showed any data containing financial information. This means that it has been impossible to access a specific user’s data. According to GDPR standards, only non-sensitive data was exposed.
While Klarna states that the vulnerability affected only non-sensitive data, customers claim otherwise. They say they were able to see sensitive data such as names, mobile numbers, addresses, stored bank accounts, purchases, and saved credit cards.
And what’s worse, Klarna customers state that each time they logged into the mobile app, they would get access to a new account.
Each time I tried to log in to my @Klarna account this morning, I’m on someone else’s account? Does this also mean someone else might currently be my on account? What the hell is going on?!! @AskKlarna pic.twitter.com/hqimF2zx7S
— esra efe laborde (@esraefe) May 27, 2021