[SERVER-60272] ObjectId 5-byte Random Value Not Working Created: 28/Sep/21  Updated: 27/Oct/23  Resolved: 28/Sep/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 4.4.8
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Abdul Moiz Baig Assignee: Louis Williams
Resolution: Works as Designed Votes: 1
Labels: Bug
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to DOCS-14824 Clarify that the random part of Objec... Closed
Operating System: ALL
Steps To Reproduce:

 

I just wrote a small script to test this thing. And its showing that 5 - Bytes Random value is not working

// Execute the following script
var objIds = []; 
for(var i = 0; i < 10; i++)
{ 
    objIds.push(ObjectId()); 
} 
print(objIds);
// Below given are the results I am getting.
[ 
    ObjectId("615303d56d62103cd0bbe35f"), 
    ObjectId("615303d56d62103cd0bbe360"), 
    ObjectId("615303d56d62103cd0bbe361"), 
    ObjectId("615303d56d62103cd0bbe362"), 
    ObjectId("615303d56d62103cd0bbe363"), 
    ObjectId("615303d56d62103cd0bbe364"), 
    ObjectId("615303d56d62103cd0bbe365"), 
    ObjectId("615303d56d62103cd0bbe366"), 
    ObjectId("615303d56d62103cd0bbe367"), 
    ObjectId("615303d56d62103cd0bbe368")
]

 

 

 

Sprint: Execution Team 2021-10-04
Participants:

 Description   

As per MongoDB Docs ObjectId consists of the following,

  1. a 4-byte timestamp value, representing the ObjectId's creation, measured in seconds since the Unix epoch
  2. a 5-byte random value
  3. a 3-byte incrementing counter, initialized to a random value

I observed in production that ObjectIds which are being generated are following a sequential pattern that is easy to guess or predict and is a security threat in terms of data security.

As per my investigation, MongoDB ObjectId is not honoring point 2 mentioned in documentation as highlighted in red



 Comments   
Comment by Abdul Moiz Baig [ 28/Sep/21 ]

Thanks for the clarification, Louis Williams.

Comment by Louis Williams [ 28/Sep/21 ]

Hi abdulmoiz.baig.work@gmail.com, the random part of an ObjectId is generated once per process, not per-ObjectId. It does so using a secure random number generator. It's designed to be unique, but as you noticed, not un-guessable. I agree this is confusing, so I've requested a change in the documentation to make this clarification.

If you are exposing ObjectId to users, but want a more secure unique identifier, you can use the built-in UUID type instead. Additionally, you may want to consider generating your own secure identifier.

Since this is not a bug, I will close the ticket. Thanks for reporting this issue!

Generated at Thu Feb 08 05:49:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.