Klarna Weak SMS Authentication

Klarna allows you to log in using BankID, SMS or Email. This intrigued me, as experience tells me tokens sent via SMS tend to be bad. So I took a look.

When authenticating via SMS Klarna asks you for two things. Your swedish personal id number and your phone number. The following data is sent as a XMLHttpRequest to https://my.klarna.com/se/sv/login.

{
    'user_type': 'full',
    'user_asset': '07712341234',
    'pno': '1234123412'
}

As a response, Klarna sends you a SMS with a 4-digit pincode. Maybe you can see where I'm going with this.

Bruteforcing the pin gives you twelve tries before the system blocks your supplied phonenumber for a day. This gives you a probability of: 1/10000 + 1/9999 + ... + 1/9989 = 0.0012 to gain access to an individual account.

We can further use this authentication weakness to bruteforce on a large number of accounts. Getting swedish personal ids and associated phonenumbers is somewhat easy by cross referencing different online services. With a list of these, we could in theory obtain access to an arbitary account. I did not try this for ethical reasons.

I'm not sure if Klarna locks out IP addresses too, but lets pretend that they do. I was able to access my own account via Tor and I also did not see any typical Cloudflare headers or similar indicator of a that would attempt to block an automated attack coming from Tor. According to Tor metrics there are currently just over 750 exit nodes. If we were able to use every one of these addresses for one try, we would have a pretty good shot at getting into an account. Of course, this is all just assuming that there is an IP block to begin with. We could likely also try multiple different accounts per exit node.

Email Oracle

We can check if a given email has a klarna account associated with it. Just following the normal login procedure, I submitted an email account I've never used with Klarna. This resulted in a success screen and my that inbox for that email address received an email saying that Klarna could not find an associated account. However, when I tried my real email address that I use for Klarna, it went to a second verification step asking for my personal id.

{
    'user_type': 'full',
    'user_asset': '<email>',
    'pno': ''
}

We could also potentially use this to confirm that an email address belongs to a certain personal id.

SMS Abuse Spam

I found that I could just keep spamming repeat the request that made Klarna send the SMS. There doesn't seem to be any rate limiting. This could be abused to annoy someone by spamming them with SMS messages. Potentially it may also lock them out of their account, if they can't access via email or bankid.