KLM leaked data customers: private data easily collected
translations.lab.nos.nlI know that automatic translation has gotten pretty good, but there's still an uncanny valley that leads to confusion in the comments, as happened here. So please don't post automatic translations.
https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
Looks like they blocked the NOS office afterwards (not during, or there wouldn't have been this much of a problem): https://mastodon.social/@schellevis/111600856003113225
Can't be the subject of any negative news stories if you block all the journalists, right?
Not really a fair representation of what happened to call that "blocking journalists". They basically blocked the IP that was brute-forcing them, which every normal security team would do. That real point of critique is that it took them a few hours to do so instead of doing that in an automated way after some number of guessing attempts.
I would believe that if they unblocked the IP address once they found out the "attack" was done by journalists.
Unless these endpoints are under constant attacks and can't figure out which IP addresses belonged to the journalists, but then they shouldn't trivialise the impact of this thread in their response.
I recently was shocked when using my banking app, you type the account number of another customer at the same bank (6 to 7 digits) and the app will fill out the name of the account owner (and ask you to check it is the person you want to send the money to), I really felt at unease by it and hope they limit this kind of lookup to a certain number of requests per user/day or someone could easily get access to all of the bank's customer names and their respective account number, this would be insanely dangerous.
Usually you have to provide another piece of information like the first 5 letters of the last name or something. That's definitely not good that they show you a name by just putting in an account number.
Anyone who uses the phrase "we take security seriously" after doing something so basically wrong should go to prison.
These aren't new or advanced or zero-day, they are well-documented types of vulnerabilities that have existed forever. If you are struggling with short text messages then buy a shorter domain name and keep the codes longer and less guessable.
It appears the short 'magic link' was along the lines of https://www[.]klm[.]nl/s/AbCdEf
Six characters.. makes you wonder how this made it into production with no one sounding the alarms
The headline doesn’t seem perfectly accurate (aside from being grammatically incorrect). This issue was discovered by security researchers, and there’s no evidence it was actively exploited by real hackers. (If it was, KLM would have to report it to the authorities, and then we’d surely know about it)
It is auto translated from Dutch.
And what is wrong about the title? Data was leaked, it was easy to collect customer data.
KLM is in denial, that's for sure. They refuse to own the obvious error.
I think what GP was having a problem with in the headline: "KLM leaked data customers" means they leaked the "data customers", not the "customers data".
In dutch you would be referring to data (of) customers, so it's most likely a translation error
That indeed looks like a translation thing, it’s how you would say it in Dutch