KLM leaked data customers: private data easily collected (opens in new tab)

(translations.lab.nos.nl)

56 pointsdveeden22y ago14 comments

14 comments

12 comments · 7 top-level

jeroenhd2y ago· 2 in thread

Looks like they blocked the NOS office afterwards (not during, or there wouldn't have been this much of a problem): https://mastodon.social/@schellevis/111600856003113225

Can't be the subject of any negative news stories if you block all the journalists, right?

t0mas882y ago

Not really a fair representation of what happened to call that "blocking journalists". They basically blocked the IP that was brute-forcing them, which every normal security team would do. That real point of critique is that it took them a few hours to do so instead of doing that in an automated way after some number of guessing attempts.

jeroenhd2y ago

I would believe that if they unblocked the IP address once they found out the "attack" was done by journalists.

Unless these endpoints are under constant attacks and can't figure out which IP addresses belonged to the journalists, but then they shouldn't trivialise the impact of this thread in their response.

pxeger12y ago· 2 in thread

The headline doesn’t seem perfectly accurate (aside from being grammatically incorrect). This issue was discovered by security researchers, and there’s no evidence it was actively exploited by real hackers. (If it was, KLM would have to report it to the authorities, and then we’d surely know about it)

janwillemb2y ago

It is auto translated from Dutch.

And what is wrong about the title? Data was leaked, it was easy to collect customer data.

KLM is in denial, that's for sure. They refuse to own the obvious error.

Moru2y ago

I think what GP was having a problem with in the headline: "KLM leaked data customers" means they leaked the "data customers", not the "customers data".

2 more replies

janmo2y ago· 1 in thread

I recently was shocked when using my banking app, you type the account number of another customer at the same bank (6 to 7 digits) and the app will fill out the name of the account owner (and ask you to check it is the person you want to send the money to), I really felt at unease by it and hope they limit this kind of lookup to a certain number of requests per user/day or someone could easily get access to all of the bank's customer names and their respective account number, this would be insanely dangerous.

polishninja2y ago

Usually you have to provide another piece of information like the first 5 letters of the last name or something. That's definitely not good that they show you a name by just putting in an account number.

dang2y ago

I know that automatic translation has gotten pretty good, but there's still an uncanny valley that leads to confusion in the comments, as happened here. So please don't post automatic translations.

https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

lbriner2y ago

Anyone who uses the phrase "we take security seriously" after doing something so basically wrong should go to prison.

These aren't new or advanced or zero-day, they are well-documented types of vulnerabilities that have existed forever. If you are struggling with short text messages then buy a shorter domain name and keep the codes longer and less guessable.

halz2y ago

It appears the short 'magic link' was along the lines of https://www[.]klm[.]nl/s/AbCdEf

codeptualize2y ago

Six characters.. makes you wonder how this made it into production with no one sounding the alarms

j / k navigate · click thread line to collapse