[SERVER-60272] ObjectId 5-byte Random Value Not Working Created: 28/Sep/21 Updated: 27/Oct/23 Resolved: 28/Sep/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | 4.4.8 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Abdul Moiz Baig | Assignee: | Louis Williams |
| Resolution: | Works as Designed | Votes: | 1 |
| Labels: | Bug | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||
| Steps To Reproduce: |
I just wrote a small script to test this thing. And its showing that 5 - Bytes Random value is not working
|
||||||||||||||||||||
| Sprint: | Execution Team 2021-10-04 | ||||||||||||||||||||
| Participants: | |||||||||||||||||||||
| Description |
|
As per MongoDB Docs ObjectId consists of the following,
I observed in production that ObjectIds which are being generated are following a sequential pattern that is easy to guess or predict and is a security threat in terms of data security. As per my investigation, MongoDB ObjectId is not honoring point 2 mentioned in documentation as highlighted in red. |
| Comments |
| Comment by Abdul Moiz Baig [ 28/Sep/21 ] |
|
Thanks for the clarification, Louis Williams. |
| Comment by Louis Williams [ 28/Sep/21 ] |
|
Hi abdulmoiz.baig.work@gmail.com, the random part of an ObjectId is generated once per process, not per-ObjectId. It does so using a secure random number generator. It's designed to be unique, but as you noticed, not un-guessable. I agree this is confusing, so I've requested a change in the documentation to make this clarification. If you are exposing ObjectId to users, but want a more secure unique identifier, you can use the built-in UUID type instead. Additionally, you may want to consider generating your own secure identifier. Since this is not a bug, I will close the ticket. Thanks for reporting this issue! |