Global: US and Australia Cyber Agencies Warn About Exploitable IDOR Security Flaws at Scale

Cybersecurity agencies from the United States and Australia have issued a joint advisory, cautioning about the prevalence of insecure direct object reference (IDOR) vulnerabilities in websites and web applications. These vulnerabilities can be easily exploited by malicious hackers to gain unauthorized access or modify sensitive data stored on an organization’s servers, primarily due to inadequate security checks.

The analogy of an IDOR vulnerability is likened to having a master key that can unlock multiple mailboxes on a street. Bad actors can exploit these vulnerabilities in a sequential manner, allowing them to access data they are not authorized to see. Furthermore, the advisory warns that these vulnerabilities can be abused “at scale” using automated tools, making them even more concerning.

The advisory points out that IDORs have already caused significant data breaches in both the United States and other countries. Such breaches have exposed thousands of medical documents, taxpayers’ personal information, COVID-19 vaccination status, and other sensitive data.

To address these vulnerabilities, the joint advisory suggests that developers should ensure their web applications implement robust authentication and authorization checks to reduce IDOR risks. Additionally, the principle of “secure-by-design” is encouraged, meaning that security should be integrated into the software development process from its inception.

The agencies emphasize the importance of protecting sensitive data by design and default, urging vendors and developers to take appropriate measures to ensure the security of their products. Misconfigured networks continue to be targeted by malicious actors, underscoring the need for heightened vigilance and security measures to safeguard critical infrastructure, businesses, government entities, and individuals from potential data breaches.

By promoting awareness and understanding of IDOR vulnerabilities, the joint advisory aims to encourage organizations to bolster their cybersecurity practices and reduce the prevalence of these exploitable flaws.