←back to thread

'123456' password exposed chats for 64M McDonald's job applicants

(www.bleepingcomputer.com)
111 points nan60 | 1 comments | 11 Jul 25 21:48 UTC | HN request time: 0.225s | source
Show context
bsuvc ◴[11 Jul 25 22:54 UTC] No.44537604[source]
It sounds like there were two separate problems:

The first was that 123456 was the credentials for the admin panel.

The second was an insecure direct object reference, where the lead_id querystring parameter can be changed on an API call to retrieve another applicant's data.

replies(3): >>44537968 #>>44538121 #>>44538299 #
hardwaresofton ◴[11 Jul 25 23:48 UTC] No.44537968[source]
A third problem that senior engineers might recognize: using numeric IDs on an outward facing object. UUIDs would have made this impossible as well
replies(3): >>44538043 #>>44538169 #>>44538538 #
bsuvc ◴[12 Jul 25 00:00 UTC] No.44538043[source]
Not impossible, just more difficult to guess.

"Security through obscurity" isn't really good enough.

replies(2): >>44538058 #>>44538529 #
tyre ◴[12 Jul 25 00:03 UTC] No.44538058[source]
Yes and…

UUIDs aren’t “just more difficult to guess.” They are inconceivably harder to guess.

> Put another way, one would need to generate 1 billion v4 UUIDs per second for 85 years to have a 50% chance of a single collision.

replies(2): >>44538303 #>>44538313 #
zarzavat ◴[12 Jul 25 00:49 UTC] No.44538313[source]
You are both right. UUIDs, if randomly generated from a CSPRNG are impossible to guess. But not all UUIDs are generated from a secure RNG, or use randomness at all.
replies(1): >>44538446 #
xeromal ◴[12 Jul 25 01:14 UTC] No.44538446[source]
I may be a dingleberry but who doesn't use uuidv4 for everything?
replies(2): >>44538527 #>>44538661 #
1. hardwaresofton ◴[12 Jul 25 01:30 UTC] No.44538527[source]
UUIDv7 indexes better in databases