Security risk of clients having access to vector clocks

Michael Clemmons glassresistor at
Thu Jan 17 21:12:54 EST 2013

Manipulating the vclock client side in theory could be used to affect what
data is stored.  I wouldnt say this is a large problem but I would think
about whats being stored and if being able to say force a revert is
On Jan 17, 2013 6:07 PM, "Brian Picciano" <dustfinger1 at> wrote:

> A web app that we're building is designed in such a way that the vector
> clocks returned from a bucket with use_multi:true will be sent to the
> client, and the client will then return that vector clock in subsequent
> requests so that we can keep track of state conflicts in riak.
> My question is: are there any security risks in doing this? We've
> obfuscated the vector clock (and never call it the vector clock on the
> client side), but that's just security through obscurity, and probably
> wouldn't hold up very long. Would a client be able to get any meaninful
> information out of a vector clock, or manipulate it in such a way that when
> they return it it could harm the database? Are there any ways we could
> combat this?
> _______________________________________________
> riak-users mailing list
> riak-users at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the riak-users mailing list