Web applications with insecure direct object references (IDORs) are at significant risk of hacking, as the US Cybersecurity and Infrastructure Protection Agency (CISA), in conjunction with the Australian Cyber Security Center (ACSC) and the US National Security Agency (NSA) warn.
Let me remind you that we talked about the fact that CISA released a tool for protection in cloud environments, and also that the agency strongly recommends patching Windows. And here is for example the list of Nation-State Threat Actors from CISA. The guys work tirelessly.
IDOR issues include flaws in web applications (or applications using vulnerable web APIs) that allow attackers to access and manipulate sensitive data by directly referencing internal objects or resources. That is, a vulnerable web application may not properly validate a user’s access to certain resources, including files, databases, or accounts.
As a result, IDOR vulnerabilities can lead to unauthorized access and data leakage due to incorrect input validation and authorization, which will allow attackers to gain access to resources to which they should not have rights.
CISA, ACSC and NSA have warned vendors, designers, developers, and organizations that use web applications to protect their systems from IDOR vulnerabilities.
So, web application developers are recommended to use secure-by-design-and-default principles, keep security in mind when writing code (for example, normalize and validate input, use CAPTCHA), analyze and test code using automated tools, and also train staff in safe software development.
Organizations and end users, in turn, should select web applications that demonstrate a commitment to secure-by-design-and-default principles, apply patches as quickly as possible, configure applications to detect and alert unauthorized access attempts, and regularly penetration tests and search for vulnerabilities to ensure the security of their web applications.
In their report, the experts provide examples of how IDOR vulnerabilities have led to massive data leaks in the past. So, in 2021, a major leak was discovered related to stalker software that transmitted the collected data to servers affected by the IDOR vulnerability CVE-2022-0732. Then text messages, call recordings, photos and information about the geolocation of hundreds of thousands of mobile devices were available to everyone.
Another leak in 2019 involved First American Financial Corp., exposing more than 800 million sensitive financial files, including bank statements, bank account numbers and documents related to mortgage payments.