pull down to refresh
42 sats \ 3 replies \ @k00b 3 Jan \ on: How is the invite link on Stacker News generated? security
We use a UUID-like id for these. It's random and not in the naive way you described, but ultimately, it can be brute forced.
It's possible that someone brute forced it, but it's also possible you used it somewhere and forgot about it and someone discovered it and drained it.
These old UUID implementations are somewhat brute forceable. We'll ship an update soon that does something less brute forceable, but we can't prevent you from sharing them in ways that cause someone to drain them.
Thank you for your reply. I have now confirmed that the issue was on my end and unrelated to Stacker News. My previous statement, 「I’m certain I never publicly shared this invite link,」was incorrect. I’ve discovered that I sent this link to Nostr about a year ago.
After waking up this morning, I reviewed Stacker News' code and noticed that after my post, @ek submitted PR#1789, which changes the invite link generation method from using
cuid to 16-byte random content.From this PR, I learned about the previous logic for generating invite links and reviewed the implementation of
cuid. Based on this code, I was able to decode the timestamp of my invite link (https://stacker.news/invites/clr4of5kk0001ofw3xdik7kbn) as 1704703451636, which corresponds to Mon Jan 8 16:44:11 CST 2024, roughly one year ago.Following this lead, I searched through my posts on various social networks and discovered that I had indeed shared the invite link on Nostr a year ago.
Additionally, I’d like to clarify that the invite link format generated by cuid is
c + timestamp(ms) + counter + fingerprint + random(8 bytes). It includes a timestamp and an 8-byte random number, so attacking it wouldn’t be trivial. Therefore, the security of previously generated invite links shouldn’t be a major concern.I apologize for the confusion and inconvenience caused. Sorry!