What are IDORs?

The cybersecurity agencies of the United States and Australia have recently issued a warning concerning the theft of personal, financial, and health data of millions of individuals. The theft has been attributed to a type of website vulnerability known as insecure direct object references (IDORs). They urge web developers to review their code to find and eliminate these vulnerabilities.

An IDOR occurs when a web application or a web API backend does not properly validate a user’s authority to access certain information from a database or a similar resource. It’s a critical flaw that takes place when a user’s input alone grants access to information, bypassing the verification of the person’s access rights.

Example of an IDOR

A prime example of an IDOR is a URL like “http://foo.bar/gettransaction?id=12345“ which displays details of a transaction with a specific ID number. Ideally, the web application should only reveal transactions related to the authenticated user. However, when it accepts any input id number and displays the corresponding transaction to whoever is logged in, that’s an IDOR. Consequently, exploiting this flaw can lead to the exposure of private and personal information, resulting in large-scale data breaches.

Risks and Implications

The Cybersecurity and Infrastructure Security Agency (CISA) along with the National Security Agency (NSA) and the Australian Cyber Security Centre issued a joint alert this week, pointing out that these vulnerabilities are being exploited “frequently” due to their common occurrence, the complexity of preventing them outside of the development process, and the ability to abuse them on a large scale.

These vulnerabilities, as CISA explained, exist when an object identifier is exposed, externally passed, or easily guessed, allowing any user to manipulate or use the identifier. The exploitation of IDOR vulnerabilities can have severe implications, including the theft, alteration, or deletion of sensitive data, unauthorized access to devices, or malware distribution to unsuspecting victims.

Noteworthy Instances

• A notable instance is the 2019 security breach of First American Financial, where 800 million personal financial files were exposed due to an IDOR flaw.
• More recently, Jumpsec security researchers demonstrated how an IDOR vulnerability in Microsoft Teams could bypass security controls, enabling the distribution of malware to any organization using the chat application.

Recommendations to Mitigate the Threat

In order to combat data breaches caused by IDOR bugs, the cybersecurity agencies recommended:

1. Adopt secure-by-design principles: Vendors and web app developers should adopt these at each stage of the software development process.
2. Use automated code analysis tools: These tools can detect these vulnerabilities, allowing for the rectification of weaknesses before deployment.
3. Deny access by default: Perform authentication and authorization checks for every data modification, deletion, and sensitive data access request.
4. Adhere to best practices for supply chain risk management: Specifically recommended for Software-as-a-Service (SaaS) cloud-based app users.
5. Review authentication and authorization checks: Organizations using on-premises software, Infrastructure-as-a-Service (IaaS), or private cloud models are advised to review checks for web apps that can access or modify sensitive data.
6. Implement patches swiftly: As a precautionary measure, these organizations should implement patches swiftly to address any IDOR bugs or other vulnerabilities.
7. Conduct regular penetration testing and vulnerability scanning: To ensure the security of internet-facing web applications.

User Education and Awareness

In addition to the aforementioned technical solutions, user education is equally important in the fight against IDOR vulnerabilities. It is crucial for users to understand the risks involved and adopt safe online habits. Therefore:

1. End-user training: Organizations should train their employees about the threats posed by IDORs. Users should be educated on how to identify suspicious activity and be encouraged to report any potential IDOR instances to the organization’s cybersecurity team.
2. Regular updates on security measures: Organizations should provide regular updates and news regarding cybersecurity threats, including updates on IDOR vulnerabilities and ways to combat them.
3. Use of strong authentication methods: Encourage the use of strong authentication methods such as two-factor or multi-factor authentication to minimize the risk of IDOR attacks.

Vendor Responsibility

Software vendors also play a critical role in mitigating IDOR risks.

1. Timely patching of vulnerabilities: Vendors must provide timely patches for any identified IDOR bugs and communicate about these patches to their clients.
2. Regular security audits: Regular security audits can help vendors discover any existing vulnerabilities in their software. Any issues found during these audits should be resolved promptly to minimize potential damage.
3. Clear communication with clients: Vendors must communicate effectively with their clients about potential vulnerabilities and the measures taken to mitigate them. Clear instructions on applying patches and performing other security measures should be provided.

The rise of IDOR vulnerabilities represents a significant threat to online data security. However, through the combined efforts of software vendors, web developers, and end users, it is possible to manage and minimize this threat. Implementing robust security measures at each stage of the software development process, conducting regular security audits and penetration tests, and promoting user education and awareness are all crucial steps towards achieving this goal. The responsibility to ensure data security belongs to everyone, and only through shared efforts can we hope to maintain the integrity and security of our digital world.

Based on an article: https://www.theregister.com/2023/07/29/cisa_nsa_idor_australia/