We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Get started
Google+

Remove Sequential Numbering | Forum

Topic location: Forum home » Support » General Questions
James Geddes
James Geddes Mar 27 '16
I was watching a video from Tom Scott in which he makes a very good point - sequential numbering is a very bad idea as it is a huge security flaw; users can scrape any info they want from the site by simply navigating through the sequence. Yet oxwall uses it everywhere!


How can I change my site so that it uses random identifiers, rather than sequential ones?


Thanks!

The Forum post is edited by James Geddes Mar 27 '16
#1
Paul Towery
Paul Towery Mar 27 '16
I watched that video, and thanks for the information. Yes, indeed.. a VERY VERY Good Point, and i thought we all had a safe website here. I believe something needs to be done about that. Security is a legal matter.
#2
ross Team
ross Mar 28 '16
Well, yes, we do understand it is bad thing to use sequential numbering for ID. Do you happen to know the actual huge security flaw within the Oxwall due to this sequential numbering? 
#3
James Geddes
James Geddes Mar 29 '16
Have you seen the video that I linked to, Ross?

Sequential numbering is a bad idea because it makes it easy to scrape any data, particularly user data, from a website by just simply iteratively going through the sequence. Unfortunately, everything in Oxwall is based on a sequential integers. A random string, such as the YouTube video ID that Tom Scott talks about, would be much more secure. 
The Forum post is edited by James Geddes Mar 29 '16
#4
ross Team
ross Mar 30 '16
Yes, I saw the video, but I need to provide a real-life case to the developers when sequential numbering leads to the scraping of user data. As you can see from the video even Youtube uses it. 
#5
James Geddes
James Geddes Mar 31 '16
YouTube does not use sequential numbering. As Tom Scott explains, YouTube has a pool of eleven character, base 64 IDs and assigns them randomly. This prevents access to private videos, for example. 

Would it not be better to mitigate a problem, than to wait until it is too late? I feel that a five character, base 64 ID string would be sufficient for most Oxwall sites, as this would yield 1,073,741,824 (64^5) IDs. Should a site need more IDs, then the option to add more characters should be available.

While an ID would clearly remain fixed once assigned, members should be able to change their profile URL, or that of any other content on an Oxwall site, to a different string if it is available. 
The Forum post is edited by James Geddes Mar 31 '16
#6
Musik
Musik Mar 31 '16
In the long term, I'd recommend going in the direction similar to WordPress Permalinks Settings. I can't speak to sequential numbering and security, as it's not something I've directly dealt with, but from an SEO standpoint, URLs based on page and post name are fantastic for engine crawlers.
#7
James Geddes
James Geddes Apr 1 '16
Good point, Musik, words are indeed better for SEO. Then again, facebook assigns a number ID to groups and then allows the admin to add a custom URL. This is probably the best solution as it should ensure that the URL is changed the minimum amount of times.


In any case, regardless of how it gets done, the Oxwall identification system must be changed urgently.

#8
OW-Ghost
OW-Ghost Apr 3 '16
+1 James Geddes 


#9
James Geddes
James Geddes Apr 4 '16
Thanks Maяcus


Also, before it gets suggested, this is a serious security flaw, so should not need to go through the user voice process.

#10
smith256
smith256 Apr 5 '16
Without more information about your document it is impossible to say. Are the numbers plain text? In which case you can probably use a wildcard search to replace the numbers with nothing .Harsimrat Kaur Badal
#11
James Geddes
James Geddes Apr 6 '16

smith256 - sequential numbering is used everywhere within the Oxwall URL system.


Looks like the comment that Byran left has been deleted - shame, I thought it was a helpful one. He said that one can simply iterate through all the URLs on a site just by increasing the integers, see example


With a very simple script, you can scrape all the images from a site doing that, for example. If content was marked as private, it would be easy to find it without permission using this method.


Using the method that YouTube employ - a pool of randomly assigned IDs - prevents this.


On a related note, I would like to retract my suggestion about using a smaller pool of IDs. A larger pool of IDs could provide more protection from iterative scraping.

The Forum post is edited by James Geddes Apr 6 '16
#12
Tecca
Tecca Apr 6 '16
I had accidentally deleted it when I tried to add more information xD

Anyway, +1 to this topic.
#13
James Geddes
James Geddes Apr 6 '16
Fair enough Byran, it was a gooden though!
#14
ross Team
ross Apr 11 '16
We have passed it to our devs, thanks for the reasonable suggestion. 
#15
James Geddes
James Geddes May 2 '16
Any progress on this security issue, team?
#16
Start | Demo | About | Policies & Licenses | Blog | Contact Us | Oxwall Foundation | Roadmap | Developer Central | Oxwall hosting | Contribute | Partners | Donation | Community software | Dating software
© Copyright Oxwall Software
Oxwall Community Software