Personal, financial, and health information belonging to millions of folks has been stolen via a particular class of website vulnerability, say cybersecurity agencies in the US and Australia. They’re urging developers to review their code and squish these bugs for good.

The flaws are known as insecure direct object references, or IDORs. They essentially occur when a web app or a web API backend doesn’t properly check that a user is actually allowed to access some info from a database or some other resource.

More specifically, IDOR bugs can occur when access is granted to stuff on the basis of the user’s input, rather than from looking up that person’s access rights.

An example would be a website that has a URL scheme like…

http://foo.bar/gettransaction?id=12345

…which would show you details of a transaction with the ID number 12345. Ideally the web app should only show transactions belonging to the logged-in user, but if it just blindly accepts any given id number and displays the corresponding transaction for whoever is logged in, that’s an IDOR. Someone could just try out the full range of IDs or selected ones, and see other people’s transaction details, which will presumably contain personal and private information.

These IDORs can therefore lead to large-scale data security breaches.

CISA, in a joint alert with the NSA and the Australian Cyber Security Centre, this week warned that miscreants are “frequently” exploiting these types of holes “because they are common, hard to prevent outside the development process, and can be abused at scale.”

“Typically, these vulnerabilities exist because an object identifier is exposed, passed externally, or easily guessed—allowing any user to use or modify the identifier,” CISA explains.

This can have dire consequences because criminals can exploit IDOR flaws to steal, modify, or delete sensitive data, access devices without permission, or send malware to unwitting victims.

Case in point: a 2019 First American Financial security breach in which 800 million personal financial files, including bank statements, bank account numbers, and mortgage payment documents were exposed. CISA said an IDOR flaw allowed crooks to swipe this financial information.

More recently, Jumpsec security researchers showed how an IDOR vulnerability in Microsoft Teams could be exploited to bypass security controls and send files — specifically malware — to any organization that uses Redmond’s chat app.

And in April, CISA warned that two IDOR bugs in Nexx’s smart home devices could allow miscreants to send instructions to a victim’s smart home device, via the NEXX API, and the hardware will do whatever the attacker tells it to do.

What to do

To help prevent data breaches due to IDOR bugs, the agencies suggest that vendors and web app developers implement secure-by-design principles at each stage of the software development process. Automated code analysis tools can also check for this kind of buggy code so that weaknesses can be fixed before stuff reaches production.

The agencies also published a series of recommendations that vendors, app designers, developers, and end users can take to reduce the risk from IDOR flaws, and better protect sensitive data from criminals.

It’s a long list of suggested actions, and we recommend reading it in its entirety. But first, this one deserves a shout out: “Configure applications to deny access by default and ensure the application performs authentication and authorization checks for every request to modify data, delete data, and access sensitive data.”

The joint alert also “strongly encourages” end-user organizations to implement the suggested mitigations. In short: for those using software-as-a-service (SaaS) models for cloud-based apps it’s recommended to use due diligence and follow best practices for supply chain risk management.

Meanwhile, for end-user orgs deploying on-premises software, infrastructure-as-a-service (IaaS), or private cloud models, the agencies recommend reviewing authentication and authorization checks in any web apps that enable access to, or modification of, sensitive data.

And, of course, apply patches as soon as possible in case IDOR bugs and any other holes need fixing.

Also, perform regular penetration testing exercises and vulnerability scanning to ensure internet-facing web apps are secure, is the advice. ®