Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
ID generation vulnerability #856
The generation of new IDs for new sockets is vulnerable to prediction attacks. Potentially, though highly unlikely, collisions are also possible.
Mentioned in the comments of #497.
The Manager.generateId() method generates identifiers using the default Math.random() pseudorandom number generator, which produces predictable output. Knowledge of the socket.io identifier is sufficient information for a client to receive information from a socket.io server. With the current implementation, an attacker that is able to predict subsequent identifiers can make a request and gain potentially private information.
The solution is to generate a secure random number for use in identifiers with sufficient entropy that it is difficult to guess. See RFC 4086 for more information on randomness requirements.
The node.js crypto module can produce cryptographically random sequences: crypto.randomBytes(n). And, if you don't like the miniscule odds of a collision, you can add a sequence number.
Pull request follows.