US and Australian cyber agencies warn that IDOR security flaws can be exploited 'on a massive scale'

US and Australian government cybersecurity agencies warn that common and easily exploitable security vulnerabilities in websites and web applications can be exploited to carry out data breaches on a large scale.

In a joint advisory released Thursday, US cybersecurity agency CISA, the National Security Agency and the Australian Cyber ​​Security Center said the vulnerabilities, known as insecure direct object references ( IDOR), allow malicious hackers to access or modify sensitive data on an organization's servers due to a lack of proper security controls.

An IDOR vulnerability is like having a key for your mailbox, but that key also allows you to unlock all the other mailboxes on your street. IDORs can be particularly problematic because, like a row of mailboxes, a malicious actor can sequentially exploit them one after another and access data to which they should not be authorized.

Because these vulnerabilities can often be exploited through enumeration, IDORs can be abused "at scale" using automated tools, the advisory warns.

"While there have been previous open source reports of insecure direct object reference (IDOR) vulnerabilities in web applications, CISA and our partners at the Australian Cyber ​​Security Center and the National Security Agency realized that this was a major flaw with too little recognition or understanding within the cyber community. Today's joint advisory is the first major advisory on this topic to help organizations protect sensitive data in their systems and push vendors to reduce the prevalence of vulnerabilities and IDORs,” James Stanley, head of CISA product development, told TechCrunch.

The joint advisory notes that IDORs have resulted in significant data breaches in the United States and abroad.

In recent years, IDORs have resulted in the exposure of thousands of medical documents by a US lab giant, a state government website that leaked thousands of personal taxpayer information, an app academic contact tracing that disclosed COVID-19 vaccination status and a state-backed health app that provided access to other people's vaccination data. IDORs have also resulted in the mass data dumping of hundreds of millions of US mortgage documents, the exposure of real-time location data of over a million vehicles from a faulty GPS tracker, and the leaking of hundreds thousands of stolen private phone data. by a global network of stalkerware.

The joint advisory states that developers should ensure that their web applications perform authentication and authorization checks to reduce IDORs, and that the software is secure by design, a principle promoted by CISA which urges software makers to embed security early and throughout the software development process.

“Security by design is a fundamental theme of this advisory. Vendors and developers are encouraged to take appropriate steps to deliver products that protect their customers' sensitive data by design and by default,” said CISA's Stanley.

Australia's cyber agency said it continues to observe malicious actors operating misconfigured networks.

“Even a single breach using IDOR vulnerabilities can have national impact. A malicious actor capable of exfiltrating data could impact critical infrastructure, businesses, government and individuals,” said Patrick Holmes from the Australian Center for Cyber ​​Security.