0

I'm looking into Slack's integrations and well, I'll paste an edited version of mine here:

API Token: ecbr-33598907266-3sArMzpiKksmA73mRKGja1GB

Webhook URL: https://hooks.slack.com/services/X0F5H7V8S/P15GYA26D/gcHAYaY0kZFCirN1aywJTF0Q

I can see both of these being a case of security through obscurity, but can't they still be guessed? I know many combinations will have to be run, so, it's not entirely secure. I can see a countermeasure being stopping a server from requesting all the possibilities thereby making it harder to guess. Probably a bigger vulnerability is leaking the token somehow... But I'm curious to know how safe OAuth tokens and GUID URLs are in general.

JJJ
  • 2,889
  • 3
  • 25
  • 43
  • 1
    Possible duplicate of [What is the probability of guessing (matching) a Guid?](http://stackoverflow.com/questions/4878359/what-is-the-probability-of-guessing-matching-a-guid) – user94559 May 17 '16 at 17:38
  • @smarx gives a good reference. It can break down, however, when there is an incentive to have the shortest possible string, like with URL shorteners: http://arstechnica.com/security/2016/04/guess-what-url-shorteners-short-circuit-cloud-security/ – Pieter Ennes May 17 '16 at 21:37
  • Yes, the unguessability is due to the size of the available range of values. GUIDs just happen to be huge. – user94559 May 18 '16 at 00:41

0 Answers0