I don't really see an issue with exposing the ObjectId. The mongodb documentation states:
Returns a new ObjectId value. The 12-byte ObjectId value consists of:
a 4-byte timestamp value, representing the ObjectId’s creation, measured in seconds since the Unix epoch
a 5-byte random value
a 3-byte incrementing counter, initialized to a random value
To me, it looks like the ObjectId is random enough to not cause any harm when exposed.
I learned how to code at university, so I've been at it since 2014. I've dabbled in open source contributions but would like to get into it more. Other than 1's and 0's, I love to travel.
Thanks for the reply. Mongo must have changed their documentation around a little. I found what you are referring to here, but if you look at the glossary it says that the machine ID and process ID are used to generate the ObjectId. There is also a Security StackExchange post I found about the ObjectId having this potentially harmful information in it. Do you think this is enough for someone to exploit? It doesn't seem trivial to me, but I guess that's not the point!
The security post is indeed a little concerning, good catch! If you look at the documentation from version 3.0 for example, and version 4.0, it seems like the implementation of ObjectId has changed to use a random value instead of the machine-process combination.
I learned how to code at university, so I've been at it since 2014. I've dabbled in open source contributions but would like to get into it more. Other than 1's and 0's, I love to travel.
I don't really see an issue with exposing the ObjectId. The mongodb documentation states:
To me, it looks like the ObjectId is random enough to not cause any harm when exposed.
Thanks for the reply. Mongo must have changed their documentation around a little. I found what you are referring to here, but if you look at the glossary it says that the machine ID and process ID are used to generate the ObjectId. There is also a Security StackExchange post I found about the ObjectId having this potentially harmful information in it. Do you think this is enough for someone to exploit? It doesn't seem trivial to me, but I guess that's not the point!
The security post is indeed a little concerning, good catch! If you look at the documentation from version 3.0 for example, and version 4.0, it seems like the implementation of ObjectId has changed to use a random value instead of the machine-process combination.
That's the missing piece. Nice find. I wonder if the motivation was to get rid of that potential threat. Thanks for the thoughts!