Cyber Security Agencies Raises Alert Against IDOR Bugs Exploited for Data Breaches
Cyber Security Agencies issue warnings against the exploitation of IDOR bugs in web applications, which could lead to data breaches and theft of confidential information. IDOR is an acronym for insecure direct object reference which is a type of access control problem that occurs when an application utilizes user information as an identifier to access internal resources like database records without the required validations.
For instance, the IDOR flaw is used when a user modifies a URL to access unauthorized data, taking advantage of a vulnerability like changing the ID parameter to view sensitive data belonging to another user (e.g., https://example[.]site/details.php?id=12345) to view someone else’s sensitive data (e.g., https://example[.]site/details.php?id=67890).
In accordance with the advisory issued by the US National Security Agency and the US Cybersecurity and Infrastructure Security Agency (CISA), hackers are exploiting these weaknesses to change confidential information by submitting requests with the user identifiers of legitimate users when insufficient authentication and authorization checks are in place.
You may defend against these dangers by developing software in accordance with the secure-by-design and default principles. You must make sure that any request involving accessing, altering, or deleting sensitive data is subject to authentication and authorization.
According to research done by CISA using data from risk and vulnerability assessments, “Valid Accounts” was the most widely used and effective attack method, making up 54% of successful attempts. Other methods employed by the attackers include drive-by breaches, external remote services, spear-phishing URLs, and spear-phishing attachments. Accounts of former workers who are still employed or other default administrator accounts are routinely used to evade security measures, create consistency in infiltrated networks, and escalate privileges.
To guard against such dangers, CISA suggests using phishing-resistant multiple-factor authentication, strong password policies, network communication logs, and tracking access to spot unauthorized access and counter the successful “Valid Accounts” method.