views:

75

answers:

5

Hi,

I have a form that reveals user IDs to public. I was wondering that is this dangerous. Personally I do not see anything bad about it. The ID is just used to reference a single database record.

+1  A: 

as For me ID is as dangerous as showing user name.

oneat
+3  A: 

If it were dangerous, Stack Overflow wouldn't be displaying user IDs in their URLs in order to make user profile lookups work: http://stackoverflow.com/users/104826/rfactor

Edit of seriousness of immense levels: if user IDs are themselves sensitive data; for example your primary keys for some reason happen to be social security numbers, that'll definitely be a security and privacy liability. If your user IDs are just auto-increment numbers though, you're clear.

BoltClock
If his account becomes compromised, it's your fault now. ;)
Mark Rushakoff
It *can* be dangerous, but doesn't have to be.
Larsenal
@BoltClock SO also has vulnerabilities (http://meta.stackoverflow.com/questions/46671/captcha-bypass)
Rook
+2  A: 

Exposing an user ID is not, in and of itself, bad. It depends on the level of privacy and security needed. If the user ID does not expose and cannot be tied to any other personal data that should otherwise be private, it may not be a problem.

But don't think that public user IDs can never be a problem.

Make sure you don't allow anyone to break in to any private data just by knowing user IDs. Facebook has had problems like that. Here's just one example. While revealing user IDs wasn't the whole story, it was part of the equation.

Larsenal
A: 

Will it hurt anything? Only you can decide that, and you should think that through. But in general, it is poor form to display the User ID without having a business reason to do so. (Saves you work is probably not a good business reason.)

JerryOL
+1  A: 

If it is a generated database id with no other meaning, it's not dangerous. Though I don't think revealing an id is elegant either. It's a technical detail and I can't understand why you would like to show it to users.

Carlos