Does sharing the standard objectid hashes of Mongodb documents with the client side pose any security risks?
100 views
Skip to first unread message
Snorre Magnus Davøen
Apr 4, 2014, 9:53:42 AM4/4/14
to mongod...@googlegroups.com
Hello,
I apologise if this question has already been asked and/or answered before. I tried searching this google group for similar questions, but did not find much. I had some more luck when I searched the web in general. Suffice it to say that I'm not quite satisfied with my knowledge about the question yet.
Does sharing the standard object id hashes of Mongodb documents with the client side pose any security risks? I attended a hackathon where someone adamantly said to avoid sharing these IDs with the client side. I attempted to search the web about this issue and did not find much. I did find one StackOverflow post: http://stackoverflow.com/questions/9452786/mongo-objectids-safe-to-use-in-the-wild.
So in essence I wonder if it is safe to send and use a document's ObjectId on the client side. Specifically my use case is as follows.
I want to make a collection containing information about facilities such as name, owner, geo location etc. The data on these facilities does not contain any natural identifier (except maybe a combination of owner and geo-location), and as such I thought I might just use the standard ObjectId hash generated by Mongodb. A rest-api might send a list of all these facilities to the client, including the ObjectId. These Ids could then be used to request data relevant to spesific facilities, say a query to return all bus stops near a given facility.
I want to make a collection containing information about facilities such as name, owner, geo location etc. The data on these facilities does not contain any natural identifier (except maybe a combination of owner and geo-location), and as such I thought I might just use the standard ObjectId hash generated by Mongodb. A rest-api might send a list of all these facilities to the client, including the ObjectId. These Ids could then be used to request data relevant to spesific facilities, say a query to return all bus stops near a given facility.
The standard ObjectID, as I understand it, has the benefit of also containing a timestamp of the creation time (which makes a created_at field unnecessary) as well as containing a hash of the mac-address of the server running mongodb (is this for sharding purposes?) and the processId of the mongodb instance.
While the timestamp might not pose a security risk in most applications I'm a bit hesitant about sharing the other two types of info. I did not quite understand if it is possible to actually extract the mac address and process id from the objectid hash, but if it possible, do they not pose a security risk?
Any answers will be greatly appreciated,
Snorre.
Asya Kamsky
Apr 4, 2014, 11:53:04 PM4/4/14
to mongodb-user
Let's consider what sort of security risk might be posed by someone
knowing what the Mac address of the client that generated the
ObjectId().
If you can't think of one (and I can't) then I don't think there is
one. By the way, the mac address is *not* of the mongodb server, it
is of the host that the client (the one running the code with MongoDB
driver) so in many cases it could be one of many clients (app
servers). Hard to see how there is anything particularly secure about
it, even if it was possible to reverse-engineer it.
Asya
> --
> You received this message because you are subscribed to the Google Groups
> "mongodb-user"
> group.
>
> For other MongoDB technical support options, see:
> http://www.mongodb.org/about/support/.
> ---
> You received this message because you are subscribed to the Google Groups
> "mongodb-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to mongodb-user...@googlegroups.com.
> To post to this group, send email to mongod...@googlegroups.com.
> Visit this group at http://groups.google.com/group/mongodb-user.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/mongodb-user/aae00491-70b4-45ea-b88b-11a91bd122b7%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
knowing what the Mac address of the client that generated the
ObjectId().
If you can't think of one (and I can't) then I don't think there is
one. By the way, the mac address is *not* of the mongodb server, it
is of the host that the client (the one running the code with MongoDB
driver) so in many cases it could be one of many clients (app
servers). Hard to see how there is anything particularly secure about
it, even if it was possible to reverse-engineer it.
Asya
> You received this message because you are subscribed to the Google Groups
> "mongodb-user"
> group.
>
> For other MongoDB technical support options, see:
> http://www.mongodb.org/about/support/.
> ---
> You received this message because you are subscribed to the Google Groups
> "mongodb-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to mongodb-user...@googlegroups.com.
> To post to this group, send email to mongod...@googlegroups.com.
> Visit this group at http://groups.google.com/group/mongodb-user.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/mongodb-user/aae00491-70b4-45ea-b88b-11a91bd122b7%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Tim Hawkins
Apr 4, 2014, 11:53:45 PM4/4/14
to mongod...@googlegroups.com
The object id also leaks the timestamp of instantiation of the object, that may or may not be a concern.
-- Sent from my Android phone with K-@ Mail. PGP public key available.
s.molinari
Apr 5, 2014, 3:39:45 AM4/5/14
to mongod...@googlegroups.com
The only issue I see with using ObjectIDs on the client side, say, within a URL, is that they are ugly (too long). Being you are looking to use them in a Rest API, you are lucky not to have that issue.:) And hopefully (and I would expect), you'll have your own security layers or methods within your application/ api, so using oids is a non-issue from any security standpoint.
Scott
Snorre Magnus Davøen
Apr 6, 2014, 6:48:41 PM4/6/14
to mongod...@googlegroups.com
Many thanks for you answer. I did not realise that it is the client's mac address that is used, not the mongodb server's address.
I'm not quite sure how a mac address might pose a security risk, and I'm guessing you would be right to say that there does not
I'm not quite sure how a mac address might pose a security risk, and I'm guessing you would be right to say that there does not
seem to be obvious cases where the mac address of the web-server would compromise security.
Thanks again.
Thanks again.
Snorre Magnus Davøen
Apr 6, 2014, 6:51:56 PM4/6/14
to mongod...@googlegroups.com
True. They are not pretty, which as you say is not a glaring issue for a REST API.
Thank you for replying.
Snorre.
Reply all
Reply to author
Forward
0 new messages