Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ID generation vulnerability #856

Closed
martinthomson opened this issue Apr 26, 2012 · 0 comments

Comments

@martinthomson
Copy link
Contributor

commented Apr 26, 2012

The generation of new IDs for new sockets is vulnerable to prediction attacks. Potentially, though highly unlikely, collisions are also possible.

Mentioned in the comments of #497.

The Manager.generateId() method generates identifiers using the default Math.random() pseudorandom number generator, which produces predictable output. Knowledge of the socket.io identifier is sufficient information for a client to receive information from a socket.io server. With the current implementation, an attacker that is able to predict subsequent identifiers can make a request and gain potentially private information.

The solution is to generate a secure random number for use in identifiers with sufficient entropy that it is difficult to guess. See RFC 4086 for more information on randomness requirements.

The node.js crypto module can produce cryptographically random sequences: crypto.randomBytes(n). And, if you don't like the miniscule odds of a collision, you can add a sequence number.

Pull request follows.

As posted here: https://groups.google.com/d/topic/socket_io/Peq-R_BTSx0/discussion

rauchg added a commit that referenced this issue Apr 26, 2012
Merge pull request #857 from martinthomson/bug/856
Fix for ID generation vulnerability #856
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.