Eyes on IDOR Vulnerabilities! US and Australia Release Joint Advisory – Source: heimdalsecurity.com

Cybersecurity agencies in Australia and the U.S. issued an advisory that warns about security flaws in web applications that could result in large-scale data breaches.

The advisory refers to a certain sort of vulnerability called Insecure Direct Object Reference (IDOR). IDOR is a variety of access control bugs that surface when user-supplied input is used without additional validation. The flaws enable threat actors to issue requests to websites or APIs without authentication.

What Is at Risk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. National Security Agency (NSA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) stated that:

These vulnerabilities are common and hard to prevent outside the development process since each use case is unique and cannot be mitigated with a simple library or security function. Additionally, malicious actors can detect and exploit them at scale using automated tools.

IDOR vulnerabilities were already leveraged to expose the personal, financial, and health data of millions of people. Hackers used them to data breach governmental institutions, healthcare, educational organizations, and financial companies, to name just a few.

Recommended Safety Measures

As a result, CISA and ACSC ask vendors and developers to implement the secure-by-design and -default principles. They should make sure the software they produce secure-by-design or sell performs authentication and authorization checks for the queries that access, change, or delete sensitive data.

The advisory recommends using:

• automated tools for code review
• indirect reference maps to prevent IDs, names, and keys from being exposed in URLs
• only extremely carefully selected third-party libraries or frameworks they must incorporate into their apps

According to the advisory, all end-user organizations should take very seriously applying patches in a timely manner.

The cybersecurity agencies also recommend companies using on-premises software, or private cloud models to regularly perform vulnerability scanning and penetration testing.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.