DEV Community

Thomas Step
Thomas Step

Posted on

Is it okay to expose MongoDB ObjectIds?

I recently came across a situation where it would have been extremely simple and easy to expose the MongoDB ObjectId that is generated whenever an entry is created. I ultimately chose to generate a GUID and use that as a reference instead. Are there any obvious concerns with exposing an ObjectId to users of an application or API?

Top comments (4)

Collapse
 
robkenis profile image
Rob Kenis

I don't really see an issue with exposing the ObjectId. The mongodb documentation states:

Returns a new ObjectId value. The 12-byte ObjectId value consists of:

    a 4-byte timestamp value, representing the ObjectId’s creation, measured in seconds since the Unix epoch
    a 5-byte random value
    a 3-byte incrementing counter, initialized to a random value
Enter fullscreen mode Exit fullscreen mode

To me, it looks like the ObjectId is random enough to not cause any harm when exposed.

Collapse
 
thomasstep profile image
Thomas Step

Thanks for the reply. Mongo must have changed their documentation around a little. I found what you are referring to here, but if you look at the glossary it says that the machine ID and process ID are used to generate the ObjectId. There is also a Security StackExchange post I found about the ObjectId having this potentially harmful information in it. Do you think this is enough for someone to exploit? It doesn't seem trivial to me, but I guess that's not the point!

Collapse
 
robkenis profile image
Rob Kenis

The security post is indeed a little concerning, good catch! If you look at the documentation from version 3.0 for example, and version 4.0, it seems like the implementation of ObjectId has changed to use a random value instead of the machine-process combination.

Thread Thread
 
thomasstep profile image
Thomas Step

That's the missing piece. Nice find. I wonder if the motivation was to get rid of that potential threat. Thanks for the thoughts!