0

Take for example a simple messaging system. Users can send each other personal messages. When reading a personal message sent to you, the URL would be something like http://www.example.com/messaging.php?mailid=453796451. I see many websites retrieving data using only a unique identifier, like 45379451 in this case. If someone else would known this unique identifier, he would be able to read the private message sent from user A to user B.

Now my question is if such an id passed via the URL is really secure? In this case the id consists of 8 numbers, which would mean that a hacker would have to try 100,000,000 numbers at a maximum, in order to read the private message. But if the database stores one million private messages, the hacker would be able to read a private message roughly every 100 attempts. Is it therefore a bad idea to make the system only rely on the id passed via the URL, or is it devious to check if the user matches the message's recipient?

I am programming a private messaging system at the moment, and I was wondering what would be the best practice to do so.

Sorry if my title is a bit misleading, I couldn't think of another way to describe this problem.

MCW
  • 2,572
  • 2
  • 16
  • 26
P.Yntema
  • 1,047
  • 2
  • 8
  • 13
  • Why is this tagged php? Isn't this true of all webservers? – MCW Sep 15 '15 at 17:27
  • 2
    An attacker can not read a member's message by bruteforcing the unique identifiers: with a simple session you can prevent that. But that is not sufficient (http://security.stackexchange.com/questions/23929/creating-secure-php-sessions?rq=1) and there are other elements to think about. –  Sep 15 '15 at 17:29
  • @MarkC.Wallace Because in this case, I am designing the messaging system in PHP. But you are absolutely right, it applies to all webservers. – P.Yntema Sep 15 '15 at 17:34

1 Answers1

1

in this case. If someone else would known this unique identifier, he would be able to read the private message sent from user A to user B.

This is not (necessarily) true. Usually, there are user accounts on such sites, and a user logging in creates a session with an ID in a cookie. messaging.php can then check if the given session ID matches the ownder of the requested message, and display an error message if it does not.

If someone else gets the session ID, then it's true that access is possible. However, getting is not is as easy. It's certainly longer than your message ID, and not auto-incrementing; guessing would take much longer (especially you need the single session ID mathcing the current message ID, not just any session ID). And there are many things preventing cookie data to be read by everything coming not from the cookie-creating site itself.

deviantfan
  • 3,854
  • 21
  • 22
  • And that's the problem I am facing. I see many websites not checking if the session ID matches the recipient in the Database. As the unique id consists of 8, 10 or maybe 12 numbers, it may get hard to guess it and therefore unnecessary to check the Database. – P.Yntema Sep 15 '15 at 17:26
  • `I see many websites not checking if the session ID matches the recipient in the Database.` Well, then this websites are stupid, and if there is any law for proctecting user data in your country, suing them has a good chance of succeeding. – deviantfan Sep 15 '15 at 17:27
  • ...but, how do you know if they check it? Trying to access messages per bruteforcing IDs on some website which doesn't belong to you is likely to be illegal. – deviantfan Sep 15 '15 at 17:28
  • A friend and me were curious if some (small-scale) websites check the Database or just retrieve the data using the unique id. We just copy-pasted one of each others URL's and we were able to see each other's messages. I didn't brute-force or anything like that. – P.Yntema Sep 15 '15 at 17:30
  • @Pat4561 Well, then the programmer of this website is bad :/ And make sure the owner never gets to know what you did. – deviantfan Sep 15 '15 at 17:31
  • @Pat4561 The website owner probably has his own terms to follow to be allowed to use the site, and in some countries, your friends agreement doesn't change the fact that a law was broken. But I'm not arguing about the law here, point is, the website is *bad* and make yours better. – deviantfan Sep 15 '15 at 17:34