Cybersecurity Agencies Warn Against IDOR Bugs Exploited for Data Breaches

Cybersecurity Agencies Warn Against IDOR Bugs Exploited for Data Breaches

Cybersecurity agencies in Australia and the U.S. have published a joint cybersecurity advisory warning against security flaws in web applications that could be exploited by malicious actors to orchestrate data breach incidents and steal confidential data.

This includes a specific class of bugs called Insecure Direct Object Reference (IDOR), a type of access control flaw that occurs when an application utilizes user-supplied input or an identifier for direct access to an internal resource, such as a database record, without any additional validations.

A typical example of an IDOR flaw is the ability of a user to trivially change the URL (e.g., https://example[.]site/details.php?id=12345) to obtain unauthorized data of another transaction (i.e., https://example[.]site/details.php?id=67890).

To mitigate such threats, it’s recommended that vendors, designers, and developers adopt secure-by-design and -default principles and ensure software performs authentication and authorization checks for every request that modifies, deletes, and accesses sensitive data.

The development comes days after CISA released its analysis of data gathered from risk and vulnerability assessments (RVAs) conducted across multiple federal civilian executive branch (FCEB) as well as high-priority private and public sector critical infrastructure operators.

The study found that “Valid Accounts were the most common successful attack technique, responsible for 54% of successful attempts,” followed by spear-phishing links (33.8%), spear-phishing attachments (3.3%), external remote services (2.9%), and drive-by compromises (1.9%).

“To guard against the successful Valid Accounts technique, critical infrastructure entities must implement strong password policies, such as phishing-resistant [multi-factor authentication], and monitor access logs and network communication logs to detect abnormal access,” CISA said.