UUID Weakness - Why UUID Can Be Unsafe


In my article on Technical analysis of Optus API security challenge - Three must to have API security controls I mentioned we cannot just blindly assume UUID is safe to use. promised I would create a challenge to highlight this issue.

RFC4122 states that UUID should not be assumed random and should not be used as a security control. UUID has multiple versions. In some versions, it is easy for an adversary to guess UUID values; therefore, if UUID is the only control to protect a private resource, the adversary can gain unauthorised access.

:point_right: UUID.py is a new challenge that model this UUID vulnerability. Your objective is to find and fix the vulnerability.

Bonus point: given a UUID number, how can you tell which version it is?

Happy Patching!

1 Like