Why you should not have plain numbers as IDs in your database

This writing is about how a simple thing, like by incrementing numbers, one could potentially have a lot of information about the data of an organisation, provided that the organisation is not having enough of security policies for it’s digital infrastructure.

So, it happened like I was trying to book movie tickets from a Movie booking site ( simply because I just wanted to give it a shot at using their website ) and it was no fun, so I opened the Developer Console of Chrome and began studying the XHR calls made by the site.

As you can see above this was one of the API getting the booking details for a specific “uniReqID”, and I just tried to change it and it was perfectly working, you can refer to the below image.

I have just incremented the “uniReqID” by 1 and boom !!! I have the details.

You get the seat numbers booked, amount paid, tax paid, amount paid for the Food & Beverages ( if any ), Movie for which the ticket is booked.

So if you are reading this ( hopefully you do ) , Please take a break from using the plain numbers as IDs , especially something for transaction related IDs.

I tried to mail the company concerned about this issue —

Wed, Dec 12, 2018, 11:45 PM — Mail sent regarding the Issue

Thu, Jan 24, 2019, 11:23 PM — Still waiting for their reply.

P.S. — Though it may not seem as a big security threat but still you are leaking practically the entire information about the tickets booked on your site, seat no, price paid, etc.