undefined | Better HN

0 pointsdalore2y ago0 comments

Having sequential ID's is more than just a security risk, it's an information risk. Competitors can use them to estimate the size of your business, the number of customers you have, and all sorts of stuff.

This was used in the war to estimate the number of German tanks based on the sequential IDs

https://en.wikipedia.org/wiki/German_tank_problem

So just for business intelligence you don't want to leak your IDs.

0 comments

13 comments · 4 top-level

sgarland2y ago· 5 in thread

I’ve heard this argument many times, but I’ve never seen anyone actually post a reference to it happening (as in, a company finding and using this information; not the German tank problem).

To me, it reeks of solving imaginary problems while causing new ones.

lightbendover2y ago

Years ago I wrote a library that would exaggerate sequential IDs to make our SaaS platform appear more popular than it actually was to anyone trying to pay attention. Not sure if I’m proud of the hack or embarrassed. But of both I suppose.

pnpnp2y ago

but UUIDv7 isn’t sequential (unless I’m getting it mixed up). There’s just a time-based component which can make sorting really nice & some random bits at the end.

If you don’t let an attacker iterate your data, all they can tell is when the ID was created.

3 more replies

umanwizard2y ago

I vaguely remember somebody figuring out from photoshop activation IDs how many sales adobe was making and trading options around their earnings report with that information.

I don’t remember the details, so maybe it was something else and not photoshop/adobe.

dbbk2y ago

It's perhaps embarrassing for a new startup to have a user ID of "10".

That's about the only problem I can discern.

jabroni_salad2y ago

Depends on how far you get, I suppose. Wozniak's apple employee badge has ID #1 on it, and that's cool as heck. I also remember ICQ users sorting themselves based on how many digits their identifier had.

madeofpalk2y ago· 3 in thread

Not disagreeing with the general concept - these IDs leak information - but these are sequential IDs, not auto-incrementing IDs. The leak is the time the ID was generated, not the volume of IDs generated.

crazygringo2y ago

That's still a competitive risk -- it does things like reveal if a given list of customers from recent orders/posts are all new customers or long-term customers.

Or from a list of most recently added customers/users, you can figure out the rate of signups.

Revealing timestamps is bad because it can reveal way too much information about the health of your business that you prefer to keep private, if a sequential list of ID's ever gets exposed (which is hard to prevent).

pnpnp2y ago

They’re not even strongly sequential (is there a term for this?). The gaps between them can be arbitrarily large.

madeofpalk2y ago

They are sequential, where they are in a sequence where one is clearly before or after another.

They're not monotonic.

1 more reply

vidarh2y ago· 1 in thread

I agree just knowing the number is bad, but it also makes it easier to discover far worse problems as well.

My second job was for a company that provided internet enabled phone conferencing solutions (this was years before VoIP became widespread).

The customer ids were sequential. Couple that with an outright idiotic security flaw (the login process set the customer ID in a cookie and the app trusted it on ever subsequent request. Just the ID. Nothing else), I was able to iterate over all the customer ids and hand over a complete list of users to my boss to illustrate the problem, starting with a list of the accounts of the complete upper management.

They could have been used to spin up huge numbers of 30-person long distance conference calls at high costs (this company was building out nodes with 20,000 line pstn switches before they had customers... it was crazy, and they failed but would've failed far faster if that had been abused and they were on the hook for costs from their carriers)

Trusting that cookie was still stupid, but had it been a long random key it'd at least been a bit harder to discover and exploit (their next attempt was to base64 encode it and I had to explain why that didn't help; they then finally blowfish encrypted it, but without any time component, so still subject to replay attacks... I jumped at the first opportunity I got to get out of there)

TRiG_Ireland2y ago

Huh. That's exactly the same security flaw as Moonpig had. Tom Scott made a video about it.

jabart2y ago

They can still find out through LinkedIn, ZoomInfo, BuiltWith, and any number of tools.

The tank problem doesn't fit when the incrementing value is time since epoch. Integers yeah, UUIDs, KSUIDS, or any other semi-ordered thing to make your database indexes less fragmented I haven't seen a real leak issue with those.

j / k navigate · click thread line to collapse

0 comments

13 comments · 4 top-level

sgarland2y ago· 5 in thread

I’ve heard this argument many times, but I’ve never seen anyone actually post a reference to it happening (as in, a company finding and using this information; not the German tank problem).

To me, it reeks of solving imaginary problems while causing new ones.

lightbendover2y ago

pnpnp2y ago

but UUIDv7 isn’t sequential (unless I’m getting it mixed up). There’s just a time-based component which can make sorting really nice & some random bits at the end.

If you don’t let an attacker iterate your data, all they can tell is when the ID was created.

3 more replies

umanwizard2y ago

I vaguely remember somebody figuring out from photoshop activation IDs how many sales adobe was making and trading options around their earnings report with that information.

I don’t remember the details, so maybe it was something else and not photoshop/adobe.

dbbk2y ago

It's perhaps embarrassing for a new startup to have a user ID of "10".

That's about the only problem I can discern.

jabroni_salad2y ago

madeofpalk2y ago· 3 in thread

crazygringo2y ago

That's still a competitive risk -- it does things like reveal if a given list of customers from recent orders/posts are all new customers or long-term customers.

Or from a list of most recently added customers/users, you can figure out the rate of signups.

pnpnp2y ago

They’re not even strongly sequential (is there a term for this?). The gaps between them can be arbitrarily large.

madeofpalk2y ago

They are sequential, where they are in a sequence where one is clearly before or after another.

They're not monotonic.

1 more reply

vidarh2y ago· 1 in thread

I agree just knowing the number is bad, but it also makes it easier to discover far worse problems as well.

My second job was for a company that provided internet enabled phone conferencing solutions (this was years before VoIP became widespread).

TRiG_Ireland2y ago

Huh. That's exactly the same security flaw as Moonpig had. Tom Scott made a video about it.

jabart2y ago

They can still find out through LinkedIn, ZoomInfo, BuiltWith, and any number of tools.

j / k navigate · click thread line to collapse