Most active commenters
  • hardwaresofton(5)

←back to thread

'123456' password exposed chats for 64M McDonald's job applicants

(www.bleepingcomputer.com)
111 points nan60 | 25 comments | 11 Jul 25 21:48 UTC | HN request time: 0.442s | source | bottom
1. bsuvc ◴[11 Jul 25 22:54 UTC] No.44537604[source]
It sounds like there were two separate problems:

The first was that 123456 was the credentials for the admin panel.

The second was an insecure direct object reference, where the lead_id querystring parameter can be changed on an API call to retrieve another applicant's data.

replies(3): >>44537968 #>>44538121 #>>44538299 #
2. hardwaresofton ◴[11 Jul 25 23:48 UTC] No.44537968[source]
A third problem that senior engineers might recognize: using numeric IDs on an outward facing object. UUIDs would have made this impossible as well
replies(3): >>44538043 #>>44538169 #>>44538538 #
3. bsuvc ◴[12 Jul 25 00:00 UTC] No.44538043[source]
Not impossible, just more difficult to guess.

"Security through obscurity" isn't really good enough.

replies(2): >>44538058 #>>44538529 #
4. tyre ◴[12 Jul 25 00:03 UTC] No.44538058{3}[source]
Yes and…

UUIDs aren’t “just more difficult to guess.” They are inconceivably harder to guess.

> Put another way, one would need to generate 1 billion v4 UUIDs per second for 85 years to have a 50% chance of a single collision.

replies(2): >>44538303 #>>44538313 #
5. Natsu ◴[12 Jul 25 00:15 UTC] No.44538121[source]
123456 was both the username & password, they were hit by CWE-1392 because someone failed to change the default credentials.
replies(1): >>44538307 #
6. lelandbatey ◴[12 Jul 25 00:24 UTC] No.44538169[source]
Using numeric IDs on an outward facing object is, for the most part, totally fine. It's a serious tradeoff to ditch the nice properties of numerical IDs and the legibility they provide in order to cargo-cult a "we must reveal nothing" approach, as you would here via UUID. It also misses the point of the actual security lesson: no matter the identifier, you need to be applying access controls to your data. Even if your UUIDs were generated via 100% airtight cryptographically random sources, you have to, y'know, communicate with them. That means you'll probably leak them, expose them, or other folks will collect them (often incidentally via things like system logs). If all it takes to gain access to a thing is knowing the identifier of that thing, you've blown it in a huge way. Don't stress about the theoretical benefits of something like an opaque identifier and then completely neglect the necessary real world access control.

Can you tell I've been scarred by discussing designs with folks who focus on the "visible" problems without thinking about the fundamental question of "is this secure"?

replies(3): >>44538381 #>>44538590 #>>44539947 #
7. thaumasiotes ◴[12 Jul 25 00:48 UTC] No.44538299[source]
> It sounds like there were two separate problems:

> The first was that 123456 was the credentials for the admin panel.

No. 123456 was the credentials for the test setup, which contained nothing. But you could use the IDOR to access data from the test setup.

If 123456 had been the credentials to the admin panel, there would have been no point in exploiting an IDOR - as an admin, you can just look at whatever you want.

8. 0cf8612b2e1e ◴[12 Jul 25 00:48 UTC] No.44538303{4}[source]
The security is that your server will crash from overload long before someone can guess the ids.
9. thaumasiotes ◴[12 Jul 25 00:48 UTC] No.44538307[source]
The writeup never claimed that 123456:123456 were default credentials?
10. zarzavat ◴[12 Jul 25 00:49 UTC] No.44538313{4}[source]
You are both right. UUIDs, if randomly generated from a CSPRNG are impossible to guess. But not all UUIDs are generated from a secure RNG, or use randomness at all.
replies(1): >>44538446 #
11. mattl ◴[12 Jul 25 01:02 UTC] No.44538381{3}[source]
Yes it makes very little difference if I can see all your public published blog posts on a WordPress site by iterating the number.
12. xeromal ◴[12 Jul 25 01:14 UTC] No.44538446{5}[source]
I may be a dingleberry but who doesn't use uuidv4 for everything?
replies(2): >>44538527 #>>44538661 #
13. hardwaresofton ◴[12 Jul 25 01:30 UTC] No.44538527{6}[source]
UUIDv7 indexes better in databases
14. hardwaresofton ◴[12 Jul 25 01:31 UTC] No.44538529{3}[source]
Yes, you are technically right -- I should have said "functionally impossible". It's not actually impossible, but close enough for the average random onlooker.
15. jszymborski ◴[12 Jul 25 01:33 UTC] No.44538538[source]
Ok, this is probably a stupid, very bad, no good idea considering I've not heard of people doing this, but can't you retain many of the benefits of numerical IDs but also the secrecy of UUIDs by using an HMAC ?

With HMAC, you can still ask for some sequential IDs

SipHash128(0, KEY) = k_0

SipHash128(1, KEY) = k_1

You get the same number of bits as a UUID.

You can't, however, sort by IDs to get their insertion sequence, however. For that you'd need something like symmetric encryption but this is already a bad idea, no reason to make it worse.

replies(1): >>44538597 #
16. hardwaresofton ◴[12 Jul 25 01:43 UTC] No.44538590{3}[source]
I think I disagree with "totally fine"... Even if that were true though, this case is definitely a point where you wouldn't want to give away information with a numeric ID. Giving away # of applications/growth of that over time is definitely business information that arguably should not be discernible.

The point is not that UUIDs are magically secure, it's that they mean nothing to whoever gains access except a single job app. The assumption is that they will get out (they're in a public URL), and that they will have no meaning when they do.

It's a defense-in-depth thing IMO -- cargo-culting this approach defends you even when you don't do the other things right. It's simple -- with a non-zero probability that the actual access control is faulty, do you want a default that protects you or doesn't. What's the intentional trade we're going for? More DB perf? Easier to type URLs? There are other ways to deal with those

> Can you tell I've been scarred by discussing designs with folks who focus on the "visible" problems without thinking about the fundamental question of "is this secure"?

Yes :(

17. hardwaresofton ◴[12 Jul 25 01:44 UTC] No.44538597{3}[source]
You could also "just" have an internal-use only numeric ID, or use a UUIDv7.
replies(1): >>44540116 #
18. cobbal ◴[12 Jul 25 01:59 UTC] No.44538661{6}[source]
UUIDv4 may or may not use a cryptographically secure random number generator. Python's UUID library, for example, falls back to the insecure 'random' module. Given a handful of outputs, it's possible to predict future ones.
replies(3): >>44538707 #>>44539124 #>>44539217 #
19. 0cf8612b2e1e ◴[12 Jul 25 02:09 UTC] No.44538707{7}[source]
Gasp! I had no idea about the Python implementation. Not that I do anything where it would matter (just need a random id), but for an already slow language, I would prefer the safer default.
20. maple3142 ◴[12 Jul 25 03:47 UTC] No.44539124{7}[source]
For python specifically, the uuid4 function does use the randomness from os.urandom, which is supposed to be cryptographically random on most platforms.
21. shakna ◴[12 Jul 25 04:07 UTC] No.44539217{7}[source]
Uh... Come again?

    def uuid4():
        """Generate a random UUID."""
        return UUID(bytes=os.urandom(16), version=4)
https://github.com/python/cpython/blob/3.13/Lib/uuid.py
replies(1): >>44540142 #
22. overfeed ◴[12 Jul 25 06:57 UTC] No.44539947{3}[source]
> If all it takes to gain access to a thing is knowing the identifier of that thing, you've blown it in a huge way.

Defense in depth is a thing, so even if you make a mistake in one place, and the attacker gets complete access - as what happened with the McApplicaton here - they won't be able to download your entire db within minutes. Even with zero authentication, non-guessable identifiers will slow down the exfiltration by several factors from dozens/hundreds of records per second to one record per $MANY_DAYS, with lots of 404s for the defenders to look at.

> That means you'll probably leak them, expose them, or other folks will collect them (often incidentally via things like system logs)

The additional friction of acquiring the UUIDs from a different channel is beneficial to defenders, compared to decrementing or incrementing IDs, which is trivial to do, and doesn't need RCE. It's the difference between "All users' data was exfiltrated" and "Only a couple/handful of accounts were affected", and this can make or break the breached company.

23. sam_lowry_ ◴[12 Jul 25 07:40 UTC] No.44540116{4}[source]
or ULIDs or any other partially sortable ids.
replies(1): >>44541706 #
24. sebazzz ◴[12 Jul 25 12:50 UTC] No.44541706{5}[source]
ULID are not necessarily sortable, just UUIDs consensed in a shorter string by using more characters than 0-9A-F
replies(1): >>44542234 #
25. sam_lowry_ ◴[12 Jul 25 14:15 UTC] No.44542234{6}[source]
ULID = Unique Lexicographically sortable IDentifier ;-)