Describe the bug

The URLs currently produced when using the share option are in the form https://12345.gradio.app

The numbers at the start are way too easy to guess, a malicious actor can easily try every combination of numbers to find a specific application and could allow remote code execution depending on the application.

Possible solution: instead of using only 5 numbers with low entropy (10^5 = 100000), use something like 15 characters in the range [0-9][a-z][A-Z] (base 62) with (26+26+10)^15 = 7,689097049×10²⁶ possibilities which will generate URLs looking like this: https://vteiTSJw4V0GOL5.gradio.app

Note: not reporting this issue as a security issue as this is already a public issue

Is there an existing issue for this?

• I have searched the existing issues

Reproduction

N/A

Screenshot

No response

Logs

N/A

System Info

N/A

Severity

serious, but I can work around it

Thanks for reporting the issue @leszekhanusz, agreed about the seriousness of the issue, let us see if we can quickly fix it.

Hi @leszekhanusz we just pushed a change to how our links are generated so this issue should now be fixed across all versions of Gradio. I would appreciate if you can try it out and let us know if it works for you

Thanks for the quick reaction! I don't have access to my pc today, could someone else confirm it's fixed?

@abidlabs It's working fine

Great! I’ll go ahead and close the issue then

@abidlabs One of my URLs was just recycled within a couple hours of shutting the down the app. Given the large number of bits in the subdomain, it seems these new URLs aren't random, but maybe something like a hash of the original ID. In any case, it looks like it's possible to spin up demos and collect URLs to guess in the future

Thanks for the heads up @float-trip. Share URLs can still be recycled in theory, but this PR: #2509 should completely fix that. We'll aiming to release next week!