KLM leaked data customers: private data easily collected

56 points by dveeden2 1 year ago | 14 comments
  • dang 1 year ago
    I know that automatic translation has gotten pretty good, but there's still an uncanny valley that leads to confusion in the comments, as happened here. So please don't post automatic translations.

    https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

    • jeroenhd 1 year ago
      Looks like they blocked the NOS office afterwards (not during, or there wouldn't have been this much of a problem): https://mastodon.social/@schellevis/111600856003113225

      Can't be the subject of any negative news stories if you block all the journalists, right?

      • t0mas88 1 year ago
        Not really a fair representation of what happened to call that "blocking journalists". They basically blocked the IP that was brute-forcing them, which every normal security team would do. That real point of critique is that it took them a few hours to do so instead of doing that in an automated way after some number of guessing attempts.
        • jeroenhd 1 year ago
          I would believe that if they unblocked the IP address once they found out the "attack" was done by journalists.

          Unless these endpoints are under constant attacks and can't figure out which IP addresses belonged to the journalists, but then they shouldn't trivialise the impact of this thread in their response.

      • janmo 1 year ago
        I recently was shocked when using my banking app, you type the account number of another customer at the same bank (6 to 7 digits) and the app will fill out the name of the account owner (and ask you to check it is the person you want to send the money to), I really felt at unease by it and hope they limit this kind of lookup to a certain number of requests per user/day or someone could easily get access to all of the bank's customer names and their respective account number, this would be insanely dangerous.
        • polishninja 1 year ago
          Usually you have to provide another piece of information like the first 5 letters of the last name or something. That's definitely not good that they show you a name by just putting in an account number.
        • lbriner 1 year ago
          Anyone who uses the phrase "we take security seriously" after doing something so basically wrong should go to prison.

          These aren't new or advanced or zero-day, they are well-documented types of vulnerabilities that have existed forever. If you are struggling with short text messages then buy a shorter domain name and keep the codes longer and less guessable.

          • halz 1 year ago
            It appears the short 'magic link' was along the lines of https://www[.]klm[.]nl/s/AbCdEf
            • codeptualize 1 year ago
              Six characters.. makes you wonder how this made it into production with no one sounding the alarms
              • pxeger1 1 year ago
                The headline doesn’t seem perfectly accurate (aside from being grammatically incorrect). This issue was discovered by security researchers, and there’s no evidence it was actively exploited by real hackers. (If it was, KLM would have to report it to the authorities, and then we’d surely know about it)
                • janwillemb 1 year ago
                  It is auto translated from Dutch.

                  And what is wrong about the title? Data was leaked, it was easy to collect customer data.

                  KLM is in denial, that's for sure. They refuse to own the obvious error.

                  • Moru 1 year ago
                    I think what GP was having a problem with in the headline: "KLM leaked data customers" means they leaked the "data customers", not the "customers data".
                    • ramon156 1 year ago
                      In dutch you would be referring to data (of) customers, so it's most likely a translation error
                      • codeptualize 1 year ago
                        That indeed looks like a translation thing, it’s how you would say it in Dutch