←back to thread

'123456' password exposed chats for 64M McDonald's job applicants

(www.bleepingcomputer.com)
111 points nan60 | 4 comments | 11 Jul 25 21:48 UTC | HN request time: 0.842s | source
Show context
bsuvc ◴[11 Jul 25 22:54 UTC] No.44537604[source]
It sounds like there were two separate problems:

The first was that 123456 was the credentials for the admin panel.

The second was an insecure direct object reference, where the lead_id querystring parameter can be changed on an API call to retrieve another applicant's data.

replies(3): >>44537968 #>>44538121 #>>44538299 #
hardwaresofton ◴[11 Jul 25 23:48 UTC] No.44537968[source]
A third problem that senior engineers might recognize: using numeric IDs on an outward facing object. UUIDs would have made this impossible as well
replies(3): >>44538043 #>>44538169 #>>44538538 #
bsuvc ◴[12 Jul 25 00:00 UTC] No.44538043[source]
Not impossible, just more difficult to guess.

"Security through obscurity" isn't really good enough.

replies(2): >>44538058 #>>44538529 #
tyre ◴[12 Jul 25 00:03 UTC] No.44538058[source]
Yes and…

UUIDs aren’t “just more difficult to guess.” They are inconceivably harder to guess.

> Put another way, one would need to generate 1 billion v4 UUIDs per second for 85 years to have a 50% chance of a single collision.

replies(2): >>44538303 #>>44538313 #
zarzavat ◴[12 Jul 25 00:49 UTC] No.44538313[source]
You are both right. UUIDs, if randomly generated from a CSPRNG are impossible to guess. But not all UUIDs are generated from a secure RNG, or use randomness at all.
replies(1): >>44538446 #
xeromal ◴[12 Jul 25 01:14 UTC] No.44538446[source]
I may be a dingleberry but who doesn't use uuidv4 for everything?
replies(2): >>44538527 #>>44538661 #
1. cobbal ◴[12 Jul 25 01:59 UTC] No.44538661[source]
UUIDv4 may or may not use a cryptographically secure random number generator. Python's UUID library, for example, falls back to the insecure 'random' module. Given a handful of outputs, it's possible to predict future ones.
replies(3): >>44538707 #>>44539124 #>>44539217 #
2. 0cf8612b2e1e ◴[12 Jul 25 02:09 UTC] No.44538707[source]
Gasp! I had no idea about the Python implementation. Not that I do anything where it would matter (just need a random id), but for an already slow language, I would prefer the safer default.
3. maple3142 ◴[12 Jul 25 03:47 UTC] No.44539124[source]
For python specifically, the uuid4 function does use the randomness from os.urandom, which is supposed to be cryptographically random on most platforms.
4. shakna ◴[12 Jul 25 04:07 UTC] No.44539217[source]
Uh... Come again?

    def uuid4():
        """Generate a random UUID."""
        return UUID(bytes=os.urandom(16), version=4)
https://github.com/python/cpython/blob/3.13/Lib/uuid.py
replies(1): >>44540142 #