Recently, there has been a warning published by cybersecurity agencies in Australia and the US to warn others against security flaws in web applications that can be exploited by malicious online hackers to carry out data breaches and steal personal and confidential data. These attacks are specifically using a certain class of bugs called Insecure Direct Object Reference (IDOR). This is a type of access control flaw that happens when an application uses user-supplied input or another identifier for direct access to an internal resource. An example can be a database record, which does not have any additional validations.
The most basic kind of IDOR flaw is the ability of a user to change the URL, which allows them to obtain unauthorized data for another transaction.
The joint agency statement claims that IDOR vulnerabilities are also access control vulnerabilities, which enable malicious actors to delete, modify, or access sensitive data by issuing requests to a web application or a website. They are able to do this by specifying the user identifier of valid users. Furthermore, these requests succeed when there is a lack of adequate authentication and authorization checks.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. National Security Agency (NSA) noted that these flaws are being taken advantage of by adversaries to comprise important personal, health and financial data of millions of consumers. In order to mitigate such threats, it is important that vendors, developers, and designers use a secure-by-design and default principle. They should also ensure the software they use performs authentication and authorization checks for every request that asks to access, modify, or delete sensitive data.
This development came days after CISA revealed their analysis of data gathered from risk and vulnerability assessments (RVAs) they conducted across various high-priority private and public sector infrastructure operators and federal civilian executive branches. Through this, it was revealed that the most common attack technique used was the Valid Accounts, which was also the most successful. Data shows that it was responsible for 54% of successful attempts. In second place, there were spear-phishing links, which were responsible for 33.8% of successful attacks.