Security agencies from U.S. and the Australian government is warning that common and easily exploitable security vulnerabilities in websites and web apps can be abused to carry out large-scale data breaches.
The US CISA, NSA, and the ACSC said that the vulnerabilities, known as insecure direct object references (IDORs), allow malicious hackers to access or modify sensitive data on an organization’s servers because of a lack of proper security checks.
An IDOR vulnerability is like having a key to your mailbox, but that key also allows you to unlock every other mailbox. IDORs can be particularly problematic because, like a row of mailboxes, a threat actor can exploit them sequentially one after the other and access data that they should not be allowed to. IDORs can be abused “at scale” using automated tools,
In recent past, IDORs have resulted in the exposure of thousands of medical documents by a U.S. laboratory giant, a state government website that spilled thousands of taxpayers’ personal information, a college contact-tracing app that leaked COVID-19 vaccination status, and a state-backed health app that allowed access to other people’s vaccination data.
IDORs also resulted in the mass data spill of hundreds of millions of U.S. mortgage documents, the exposure of the real-time location data of more than a million vehicles from a flawed GPS tracker and the leak of hundreds of thousands of people’s private phone data stolen by a global stalkerware network.
Developers should ensure their web apps perform authentication and authorization checks to reduce IDORs. Security should be involved from the beginning and throughout the software development process.