Home / News / Internet / Cyber agencies in the US and Australia warn that IDOR security flaws can be exploited “at scale”

Cyber agencies in the US and Australia warn that IDOR security flaws can be exploited “at scale”

U.S. and Australian government cybersecurity agencies warn that common security vulnerabilities in websites and web apps can be exploited to commit large-scale data breaches.

CISA, the National Security Agency, and the Australian Cyber Security Centre warned Thursday that insecure direct object references (IDORs) allow hackers to access or modify sensitive data on an organization’s servers due to a lack of security checks.

IDOR vulnerabilities are like having a mailbox key that opens every mailbox on your street. Like mailboxes, bad actors can exploit IDORs sequentially to access data they shouldn’t.

The advisory warns that automated tools can abuse IDORs “at scale” due to enumeration vulnerabilities.

CISA and our partners at the Australian Cyber Security Centre and National Security Agency realized this is a major flaw with too little recognition or understanding in the cyber community. “Today’s joint advisory is the first significant advisory on this subject to help organizations protect sensitive data in their systems and push vendors to reduce IDOR vulnerabilities and flaws,” CISA Product Development Section Chief James Stanley told TechCrunch.

IDORs have caused major data breaches worldwide, according to the joint advisory.

In recent years, IDORs have exposed thousands of medical documents by a U.S. laboratory giant, a state government website that leaked thousands of taxpayers’ personal information, a college contact-tracing app that leaked COVID-19 vaccination status, and a state-backed health app that allowed access to other people’s vaccination data. IDORs also exposed hundreds of millions of U.S. mortgage documents, over a million vehicles’ real-time location data from a flawed GPS tracker, and hundreds of thousands of people’s private phone data stolen by a global stalkerware network.

The joint advisory recommends that web app developers perform authentication and authorization checks to reduce IDORs and that software is secure-by-design, a CISA principle that encourages software makers to build security into their products from the start.

This advisory emphasizes secure-by-design. CISA’s Stanley advised vendors and developers to protect customers’ sensitive data by design and default.

The Australian cyber agency said malicious actors continue to exploit misconfigured networks.

“One IDOR vulnerability breach can affect the nation. “A malicious actor exfiltrating data could impact critical infrastructure, businesses, government, and individuals,” said Patrick Holmes with the Australian Cyber Security Centre.

 

About Chambers

Check Also

The Air Force has abandoned its attempt to install a directed-energy weapon on a fighter jet, marking another failure for airborne lasers

The U.S. military’s most recent endeavor to create an airborne laser weapon, designed to safeguard …