US and Australia Warn Developers Over IDOR VulnerabilitiesFlaws That Give Back-End Access to an Object Can Cause Large Breaches, Agencies Say
U.S. and Australian cybersecurity agencies are warning developers to guard against access flaws in websites and web applications, saying that failure to institute authentication checks can lead to large data breaches.
Access control flaws known as insecure direct object reference vulnerabilities occur when an application uses an identifier such as a number or user name for back-end access to an object such as a customer portal page or files without first authenticating the user. The lack of authentication allows attackers to potentially retrieve information intended for other users or users with higher privileges. It could also let attackers modify or delete the objects or execute functions they're not authorized to undertake.
"IDOR vulnerabilities have resulted in the compromise of personal, financial and health information of millions of users and consumers," says an advisory published Wednesday by the U.S. Cybersecurity and Infrastructure Security Agency, the U.S. National Security Agency and the Australian Cyber Security Center.
IDOR vulnerabilities are often simple to exploit but can be difficult for developers to identify, cybersecurity firm Varonis said. "Tools and techniques like code analysis and automated scanning aren’t as good at spotting IDOR bugs as many other common security issues, which means identifying these vulnerabilities may require manual security testing."
OWASP included broken access controls in its 2021 list of the top 10 most critical security risks to web applications.
The agencies recommend that vendors, designers and developers adopt "secure by design" and "secure by default" principles to ensure proper authentication and authorization checks for every request that modifies, deletes and accesses sensitive data in the software or web API.
Among the incidents including an IDOR vulnerability was a 2019 breach of hundreds of millions of documents related to mortgage deals at real estate title insurance giant First American Financial Corp., which was reported by cybersecurity journalist Brian Krebs.