In a joint advisory released today, the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the U.S. National Security Agency (NSA) have alerted about the significant breach risks tied to insecure direct object reference (IDOR) vulnerabilities that affect web applications. IDOR vulnerabilities are defects in web applications (or applications that use impacted web APIs) that allow threat actors to access and manipulate sensitive data by directly referencing internal objects or resources. In layman's terms, the vulnerable web application does not adequately validate a user's access to specific resources, such as files, databases, or user accounts.
IDOR vulnerabilities pose a considerable security risk as they can lead to unauthorized access and data breaches due to inadequate input validation and authorization checks. This flaw allows threat actors to access resources they are not permitted to use. The NSA has noted that IDOR vulnerabilities could potentially affect any web application.
The ACSC, CISA, and NSA have issued a warning to vendors, designers, developers, and organizations that use web applications to safeguard their systems against IDOR vulnerabilities. The three agencies stated, "These vulnerabilities are frequently exploited by malicious actors in data breach incidents and have resulted in the compromise of personal, financial, and health information of millions of users and consumers."
The advisory released today offers a variety of best practices, recommendations, and mitigations for vendors, developers, and end-user organizations aimed at reducing the occurrence of IDOR vulnerabilities. The guidance also aims to enhance the security posture of web applications, ensuring they are designed to be secure by default. Web application developers are urged to adopt secure by design and default principles, adhere to secure coding practices, conduct code reviews and testing using automated code analysis and testing tools, and train staff for secure software development.
End-user organizations are advised to opt for web applications that demonstrate a commitment to secure-by-design and -default principles, apply software patches for web apps promptly, configure apps to record and alert on tampering attempts, and perform regular penetration testing and vulnerability scanning to ensure their web apps are secure.
The three agencies cited several incidents where the exploitation of IDOR security flaws has led to significant data breaches. In October 2021, a major data leak involving 'stalkerware' apps transferring harvested data to servers affected by an IDOR vulnerability (CVE-2022-0732) exposed text messages, call records, photos, and geolocation info from hundreds of thousands of mobile devices. Another data breach in 2019 impacted a U.S. Financial Services Sector organization, exposing over 800 million personal financial files, including sensitive details like bank statements, bank account numbers, and mortgage payment documents. In 2012, a separate incident occurred where attackers exploited an IDOR vulnerability to steal the personal data of more than 100,000 mobile device owners from a publicly accessible website of a U.S. Communications Sector organization.