Is it safe to expose MongoDB ObjectID to users (e.g. in URI)?

According to Mongo's documentation, the following is used to construct an ObjectId:

ObjectId is a 12-byte BSON type, constructed using:

  a 4-byte value representing the seconds since the Unix epoch,
  a 3-byte machine identifier,
  a 2-byte process id, and
  a 3-byte counter, starting with a random value.

So to answer your question,

Is there anything else an attacker could gain from knowledge of the ObjectID?

I would say that it seems like in addition to the time stamp they could also determine the machine identifier, the process id and your counter value.

Make sure that you are protecting yourself against direct object reference attacks (which you should be doing anyway).


MongoDB OID's are predictable. So if you have access restrictions you need to inforce, such as not allowing person A from Group 1 access to similarly classed objects belonging to persons in Group 2, then you will need to make sure you're application enforces these rules for all points of access.

A disastrous strategy, for example, would be to store an OID for a user in the browser, possibly acquired and stored after authZ, and use it for authN, since all that would be needed to change you're identity in the server would be to twiddle the browser-stored OID to match someone else's.

Tags:

Mongodb