Possessing an ID, shouldn’t give access, regardless of whether it’s a numerical PK or a UUID. (Unless that’s a feature, like shareable links) Still need to check if the user should be able to use that ID.
If that isn’t implemented, the system isn’t secure, doesn’t matter which path you use.
If the ID scheme mapping is sufficiently dense, traversal attacks on otherwise obscured namespaces become an option.
This might apply to user accounts, posts, payment accounts, or other elements.
Security isn't simply about compromising account credentials or access policies. It may be any unintended or unexpected data disclosure, inferred relationships (between accounts, activity, finances, offline attributes, access, reputation, and more), denial of access, stalking or harassment, and more.
These might not be unexpected in all cases, but could well be undesired in many instances.
dredmorbius|5 years ago
This might apply to user accounts, posts, payment accounts, or other elements.
Security isn't simply about compromising account credentials or access policies. It may be any unintended or unexpected data disclosure, inferred relationships (between accounts, activity, finances, offline attributes, access, reputation, and more), denial of access, stalking or harassment, and more.
These might not be unexpected in all cases, but could well be undesired in many instances.