The Cybersecurity and Infrastructure Security Agency (CISA), along with the Australian Cyber Security Centre (ACSC) and the U.S. National Security Agency (NSA), issued a warning about the significant breach risks posed by insecure direct object reference (IDOR) vulnerabilities affecting web applications.
IDOR flaws allow attackers to access and manipulate sensitive data by directly referencing internal resources without proper validation. These vulnerabilities are considered high security risks as they can lead to unauthorized access and data breaches, compromising personal, financial, and health information of millions of users and consumers.
Furthermore, the advisory covers various web app models, including on-premises software, Software as a Service (SaaS), Infrastructure as a Service (IaaS), and private cloud models. The three agencies urged vendors, developers, designers, and organizations using web applications to take preventive measures against IDOR vulnerabilities to safeguard their systems.
They provided a range of best practices and recommendations aimed at reducing the occurrence of IDOR vulnerabilities, emphasizing the importance of secure coding practices, automated code analysis, secure software development, and regular testing.
The advisory highlighted several incidents where IDOR security flaws resulted in massive data breaches. In one instance, stalkerware apps exploiting an IDOR vulnerability exposed text messages, call records, photos, and geolocation information from hundreds of thousands of mobile devices.
Another breach in 2019 impacted a U.S. Financial Services Sector organization, exposing over 800 million personal financial files, including bank statements and account numbers. The three agencies stressed the criticality of adhering to secure-by-design principles, promptly applying software patches, and conducting regular penetration testing and vulnerability scanning to ensure web apps are secure and protected from potential threats arising from IDOR vulnerabilities.