CISA, Australia warn of IDOR vulnerabilities after major breaches

On Thursday, cybersecurity bodies in the United States and Australia issued alerts regarding a particular type of security flaws that enable malicious actors to manipulate or erase data by assuming the identities of authorized users.

Referred to as vulnerabilities in insecure direct object reference (IDOR), these flaws entail attackers sending requests to websites or web API interfaces without the need for authentication.

In a recent announcement, the U.S. Cybersecurity and Infrastructure Security Agency, National Security Agency, and Australian Cyber Security Centre (ACSC) issued a cautionary notice. They highlighted that these weaknesses are frequently manipulated by malicious individuals in instances of data breaches. The vulnerabilities are prevalent, difficult to mitigate outside the development phase, and can be exploited on a large scale.

The agencies have stated that IDOR vulnerabilities have led to the breach of personal, financial, and health data belonging to countless users and consumers. They mentioned that cyber attackers have utilized these flaws to gain entry to sensitive information, alter or delete objects, and access various functions.

IDOR vulnerabilities refer to weaknesses in the access control systems of web and mobile applications. These vulnerabilities arise when an application or API uses an identifier, such as an ID number, name, or key, to directly access an object, like a database record. However, the system fails to adequately verify the authentication or authorization of the user making the request.

Over the past few years alone, several security episodes have occurred, exposing IDOR weaknesses. These incidents impacted various platforms and organizations, such as a payment add-on for WordPress websites, the renowned U.S. electronics company Eaton, Microsoft Teams, AT&T, and First American Financial.

The cybersecurity agencies provided guidelines for vendors, creators, and builders of web applications as well as organizations that make use of web applications.

They encouraged developers to adopt various precautionary measures such as incorporating secure-by-design and -default principles, along with utilizing automated tools capable of scrutinizing code for IDOR vulnerabilities. Additionally, end users should exercise caution when interacting with vulnerable applications and refrain from purchasing tools from unverified vendors.

IDOR vulnerabilities are generally categorized based on the extent of unauthorized access they grant to hackers and have different manifestations. One prevalent type is known as "body alteration," in which threat actors modify the HTML code of a webpage to obtain access. Similar variants include the manipulation of URLs or cookies.

According to BugCrowd's Chief Technology Officer Casey Ellis, for instance, if a website is exposed to IDOR (Insecure Direct Object Reference), one can easily gain access to another user's data by modifying or increasing a numerical value in the URL of a logged-in user.

The agencies provided an explanation stating that these weaknesses are widespread and difficult to avoid if they occur after the development phase, as each specific scenario is distinct and cannot be addressed by a basic software or security feature.

Moreover, malevolent individuals possess the ability to identify and take advantage of these vulnerabilities on a large scale with the use of automated tools. These circumstances pose a threat to organizations, potentially resulting in accidental information exposure or an extensive breach of sensitive data by malicious parties.

Ellis observed that the advisory's timing was peculiar but probably influenced by the breach of Optus, Australia's second-biggest telecom corporation. In this incident, a significant portion of the Australian public's information was compromised due to the vulnerable API security and the existence of IDOR.

Some argued that a significant portion of the suggestions provided in the guidance were practices that developers should have already implemented.

According to Mike Parkin, a senior technical engineer at Vulcan Cyber, although there may be valid situations where insecure direct object references are acceptable and do not introduce significant security threats, it is important to restrict their use due to their inherent insecurity.

Developers should exercise caution when it comes to implementing IDOR and should avoid using it whenever there is a risk of users being able to manipulate the system and compromise its security. All the recommendations given in this collective advice are actions that developers should already be taking. It is simply a fundamental practice of coding securely, without requiring specialized knowledge or skills.

blog section. Expand your knowledge with the blog category. Gain a deeper understanding through our diverse blog segment. Enhance your insights with our extensive range of blog posts.

Jonathan Greig is currently employed as a Breaking News Reporter at Recorded Future News. Since 2014, Jonathan has engaged in journalism on an international scale, with stints at various news organizations in South Africa, Jordan, and Cambodia. Notably, he has prior experience covering cybersecurity for ZDNet and TechRepublic. Recently, Jonathan has relocated to New York City.