14 comments

[ 4.7 ms ] story [ 43.6 ms ] thread
Looks like they blocked the NOS office afterwards (not during, or there wouldn't have been this much of a problem): https://mastodon.social/@schellevis/111600856003113225

Can't be the subject of any negative news stories if you block all the journalists, right?

Not really a fair representation of what happened to call that "blocking journalists". They basically blocked the IP that was brute-forcing them, which every normal security team would do. That real point of critique is that it took them a few hours to do so instead of doing that in an automated way after some number of guessing attempts.
I would believe that if they unblocked the IP address once they found out the "attack" was done by journalists.

Unless these endpoints are under constant attacks and can't figure out which IP addresses belonged to the journalists, but then they shouldn't trivialise the impact of this thread in their response.

I recently was shocked when using my banking app, you type the account number of another customer at the same bank (6 to 7 digits) and the app will fill out the name of the account owner (and ask you to check it is the person you want to send the money to), I really felt at unease by it and hope they limit this kind of lookup to a certain number of requests per user/day or someone could easily get access to all of the bank's customer names and their respective account number, this would be insanely dangerous.
Usually you have to provide another piece of information like the first 5 letters of the last name or something. That's definitely not good that they show you a name by just putting in an account number.
The headline doesn’t seem perfectly accurate (aside from being grammatically incorrect). This issue was discovered by security researchers, and there’s no evidence it was actively exploited by real hackers. (If it was, KLM would have to report it to the authorities, and then we’d surely know about it)
It is auto translated from Dutch.

And what is wrong about the title? Data was leaked, it was easy to collect customer data.

KLM is in denial, that's for sure. They refuse to own the obvious error.

I think what GP was having a problem with in the headline: "KLM leaked data customers" means they leaked the "data customers", not the "customers data".
That indeed looks like a translation thing, it’s how you would say it in Dutch
In dutch you would be referring to data (of) customers, so it's most likely a translation error
Six characters.. makes you wonder how this made it into production with no one sounding the alarms
Anyone who uses the phrase "we take security seriously" after doing something so basically wrong should go to prison.

These aren't new or advanced or zero-day, they are well-documented types of vulnerabilities that have existed forever. If you are struggling with short text messages then buy a shorter domain name and keep the codes longer and less guessable.