CISA warned today of the significant breach risks linked to insecure direct object reference (IDOR) vulnerabilities impacting web applications in a joint advisory with the Australian Cyber Security Centre (ACSC) and U.S. National Security Agency (NSA).
IDOR vulnerabilities are flaws in web apps (or apps that use affected web APIs) that enable attackers to access and manipulate sensitive data by directly referencing internal objects or resources.
In simpler terms, the vulnerable web application does not correctly validate user access to specific resources, such as files, databases, or user accounts.
IDOR vulnerabilities are considered significant security risks, as they can lead to unauthorized access and data breaches due to improper input validation and authorization checks that allow threat actors to access resources they’re not authorized to use.
According to the NSA, IDOR vulnerabilities can potentially impact any web app, including:
- On-premises software deployed and installed locally at an organization.
- Software as a Service (SaaS) used for cloud-based applications.
- Infrastructure as a Service (IaaS) used for cloud-based computing resources.
- Private cloud models proprietary to the organization’s infrastructure.
The ACSC, CISA, and NSA warned vendors, designers, developers, and organizations that use web applications to protect their systems against IDOR vulnerabilities.
“These vulnerabilities are frequently exploited by malicious actors in data breach incidents and have resulted in the compromise of personal, financial, and health information of millions of users and consumers,” the three agencies said.
Today’s advisory provides a range of best practices, recommendations, and mitigations for vendors, devs, and end-user organizations aimed at lowering the occurrence of IDOR vulnerabilities.
The guidance also helps to enhance the security posture of web applications, ensuring they are designed to be secure by default.
Web application developers are advised to implement secure by design and default principles, follow secure coding practices (e.g., indirect reference maps, input parameter normalization and verification, and CAPTCHAs), conduct code reviews and testing using automated code analysis and testing tools, and train personnel for secure software development.
End-user organizations should choose web apps that show commitment to secure-by-design and -default principles, apply software patches for web apps as soon as possible, configure apps to log and alert on tampering attempts, and conduct regular penetration testing and vulnerability scanning to ensure their web apps are secure.
The three agencies highlighted several incidents where the exploitation of IDOR security flaws has led to massive data breaches.
In October 2021, a major data leak involving “stalkerware” apps that were transferring harvested data to servers affected by an IDOR vulnerability (CVE-2022-0732) exposed text messages, call records, photos, and geolocation info from hundreds of thousands of mobile devices.
Another data breach from 2019 affected a U.S. Financial Services Sector organization, exposing over 800 million personal financial files, including sensitive details such as bank statements, bank account numbers, and mortgage payment documents.
A separate incident occurred in 2012, wherein attackers stole the personal data of more than 100,000 mobile device owners from a publicly accessible website of a U.S. Communications Sector organization after exploiting an IDOR vulnerability.