NextDns Config id too easily bruteforced
The config id is only 6 alphanumerical long. It is too easily bruteforced. Config id should be at least 12 characters long. What do you think?
16 replies
-
I don't think anyone logical would use another person's config. They don't control what they're using and the owner of the profile can see their IP.
The person would either annoy or be spied upon by the owner so in any logic a person trying to be private is going to lose all privacy if they go that route.
Tere are also other deterrences in place, you can use the service for free without any limits if you don't want filtering or you can use it for free upto 300k queries. The pricing structure is also meant to be affordable for most people.
Overall yeah since it's 6 digits, it could be done but in all senses of logic it's not worth it.
-
With 36 choices for each character and 6 characters, that winds up being 36^6 or 2,176,782,336 possibilities - all to use someone else's configuration - with no guarantee that it's even an active profile.
Though, it would be a great milestone for NextDNS if they reached that number and had to increase the character set for users.
-
Once you find 1 config from a emailacc, you would generally find the rest. Right? am I wrong?
-
If one had a supercomputer is it possible to get someones config in a few days?
-
Once you get sommeones config, is it possible for the attacker to launch commands and find out about critical things? Tell me if that is possible?
Content aside
- 2 yrs agoLast active
- 16Replies
- 659Views
-
3
Following