Massive Data Heist – Web Devs Neglect IDOR Vulnerabilities
Millions of individuals have fallen victim to a significant data breach resulting from a class of vulnerabilities found in various websites, as revealed by cybersecurity agencies in the United States and Australia.
The agencies are now calling upon web developers to take immediate action to address these critical bugs. The vulnerabilities in question are referred to as Insecure Direct Object References (IDORs).
These flaws arise when web applications or APIs fail to adequately verify whether a user has appropriate access rights to specific information stored in a database or other resources.
For instance, a website might use a URL scheme like this:
www.example.com/transaction/12345," displaying transaction details linked to the ID number 12345.
However, instead of ensuring that only authorized users can access their respective transactions, the website might accept any input ID. Consequently, it reveals other users' private information. This vulnerability allows malicious actors to exploit the full range of IDs and access personal and sensitive data on a massive scale.
IDOR VulnerabilitiesIn a joint alert with the NSA and the Australian Cyber Security Centre, the Cybersecurity and Infrastructure Security Agency (CISA) warned that cybercriminals frequently exploit these IDOR vulnerabilities because they are prevalent and challenging to prevent during development.
CISA highlighted that these IDOR vulnerabilities can be abused on a large scale, making them a significant concern for cybersecurity.
The consequences of IDOR exploitation can be severe, including theft, modification, or deletion of sensitive data, unauthorized access to devices, and the dissemination of malware to unsuspecting victims. Several high-profile incidents highlight the risks posed by these flaws.
CISA reported that IDOR bugs in Nexx's smart home devices allowed attackers to manipulate victims' smart home hardware through the NEXX API.In a notorious 2019 security breach at First American Financial, 800 million personal financial files were exposed. The files contained sensitive information such as bank statements, account numbers, and mortgage payment documents.
The breach was attributed to an IDOR (Insecure Direct Object Reference) flaw. It allowed unauthorized access to a vast amount of personal data, raising serious concerns about data protection and cybersecurity.
More recently, security researchers from Jumpsec demonstrated how an IDOR vulnerability in Microsoft Teams could bypass security controls. The flaw enabled the distribution of malware to organizations using the chat app, posing a significant threat to their cybersecurity.
Combatting the SusceptibilityTo combat these data breaches, the agencies emphasize the importance of implementing secure-by-design principles throughout the software development process.
Automated code analysis tools can be employed to identify and fix these vulnerabilities before applications go into production.The agencies have published a comprehensive list of recommendations for vendors, developers, app designers, and end-users. These recommendations aim to minimize the risks associated with IDOR flaws and protect sensitive data from falling into the wrong hands.
Key recommendations include configuring applications to deny access by default and performing authentication and authorization checks for every request to modify, delete, or access sensitive data.
The agencies particularly stress the importance of adopting the suggested mitigations for organizations utilizing software-as-a-service (SaaS) models in cloud-based apps.
For organizations deploying on-premises software, infrastructure-as-a-service (IaaS), or private cloud models, thorough reviews of authentication and authorization checks are essential.
These reviews are particularly critical for web apps that allow access to sensitive data, ensuring robust protection against potential IDOR vulnerabilities and unauthorized access.
Regular penetration testing and vulnerability scanning are also crucial to ensure the security of internet-facing web applications. Moreover, the agencies emphasize the importance of promptly applying patches whenever IDOR bugs or any other vulnerabilities are discovered.
By proactively implementing these measures and adhering to the cybersecurity agencies' recommendations, web developers and end-users may effectively safeguard sensitive data. This concerted effort ensures a stronger defense against potential breaches and reinforces the protection of valuable information.
The post Massive Data Heist - Web Devs Neglect IDOR Vulnerabilities appeared first on The Tech Report.