Insecure usage of Version 1 UUID/GUID
Description
A UUID (Universally Unique Identifier), also known as a GUID, is a 128-bit value used to uniquely identify objects or entities. This application generates Version 1 UUIDs, which are created using a predictable algorithm based on three components:
- The current timestamp (with 100-nanosecond precision)
- A clock sequence value that remains constant during system uptime
- A node identifier derived from the system's MAC address when available
Because Version 1 UUIDs incorporate time-based and hardware-based values in a deterministic manner, they can be predicted or reverse-engineered by attackers who observe one or more generated UUIDs.
Remediation
Replace all Version 1 UUIDs with Version 4 UUIDs, which are generated using cryptographically secure random number generators and provide no predictable patterns.
Implementation examples:
Python:
import uuid # Insecure - Version 1 UUID insecure_id = uuid.uuid1() # Secure - Version 4 UUID secure_id = uuid.uuid4()
Java:
import java.util.UUID; // Secure - Version 4 UUID UUID secureId = UUID.randomUUID();
JavaScript (Node.js):
const { v4: uuidv4 } = require('uuid');
// Secure - Version 4 UUID
const secureId = uuidv4();C# (.NET):
using System; // Secure - Version 4 UUID Guid secureId = Guid.NewGuid();
Additional steps:
- Audit all code that generates or validates UUIDs to ensure Version 4 is used consistently
- If UUIDs are used for security tokens or session identifiers, consider additional security measures such as signing or encryption
- Regenerate any existing Version 1 UUIDs that are used for security-sensitive purposes