Beware! Developers, designers, vendors, and end-user organisations using web applications. This is because web applications have been found to have vulnerabilities called IDOR, or Insecure Direct Object Reference. These are access control vulnerabilities that enable malicious actors to do a host of damage to businesses. These include deleting or modifying data or accessing sensitive data by making requests to a website or a web application programming interface (API).
These requests by hackers succeed when there are no or minimal authentication and authorisation checks. Also, such vulnerabilities are being exploited frequently as they are common and seemingly difficult to prevent. According to Ravin Prasad, CEO of Cybernetic Global Intelligence, a global accredited cybersecurity support service, IDOR vulnerabilities have led to the hacking of personal, health, and financial information of millions of consumers worldwide.
Due to the severe consequences of IDOR vulnerabilities, several regulatory agencies and organisations have issued cybersecurity advisories. These include the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. National Security Agency (NSA). They strongly encourage developers, vendors, designers, and end-user organisations to take the advisory seriously and implement it to minimise IDOR vulnerabilities and protect sensitive data. However, before listing the advisory, let us first understand what IDOR vulnerabilities are all about.
What Are IDOR Vulnerabilities?
These are access control vulnerabilities found in web applications as well as mobile applications that use affected web APIs. These occur when the API uses an identifier, say, a name, ID, or key, to access an object, say, a record in a database, without checking the authentication or authorisation of the user seeking the request. In the absence of any authentication or authorisation, malicious actors can not only access sensitive data but also modify or delete objects.
What Are the Types of IDOR Vulnerabilities?
There are several types of IDOR vulnerabilities that developers, vendors, and other stakeholders should keep in mind.
#1. Horizontal IDOR vulnerabilities: These occur when malicious users gain access to data at the same privilege level.
#2. Vertical IDOR vulnerabilities: These occur when malicious users are able to access data that they are not supposed to access due to the requirement of a higher privilege level.
#3. Object-level IDOR vulnerabilities: These types of vulnerabilities occur when users are able to delete or modify objects that they should not have in the first place.
#4. Function-level IDOR vulnerabilities: These take place when users are able to access a function or action that they are not supposed to access.
Impact of IDOR Vulnerabilities
The difficulty of detecting these vulnerabilities outside the development process is due to their uniqueness and the fact that they cannot be mitigated with a library or security function. As per Manish Chaudhari, CISO of Cybernetic Global Intelligence, a globally accredited cybersecurity company, malicious actors using automated tools can detect and exploit them at scale. Such concerns place end-user organisations at risk of data leaks or breaches. Some of the examples of data leaks or breaches due to IDOR vulnerabilities are:
In October 2021, a global data leak incident took place where data comprising call records, text messages, the geolocation of devices, and photos was exposed by insurance apps.
In 2019, more than 800 million pieces of personal financial data, including bank account numbers, bank statements, and mortgage payment details, from a US-based financial services organisation were exposed.
How to Mitigate IDOR Vulnerabilities
- The ways in which end-user organisations can implement measures to mitigate IDOR vulnerabilities are mentioned below. The end-user organisations comprise on-premises software, private cloud models, SaaS, and IaaS.
- Follow the best practices for supply chain risk management and exercise due diligence when selecting web applications. Secure from trustworthy vendors that show commitment to secure-by-design principles.
- Verify the product’s integrity through signature or hash verification.
- Review the SBOM (Software Bill of Materials) for vulnerable, outdated, or unauthorised applications.
- Apply software patches for web applications.
- Configure the web application to generate alerts upon being tampered with. These will help network defenders investigate and take appropriate actions.
- Create, maintain, and implement a cyber incident response plan.
- Conduct proactive and frequent red team penetration testing to ensure web applications and network boundaries are secure. Try using reputable third-party cybersecurity services like Cybernetic Global Intelligence, an IAF-accredited ISO 27001-certified PCI QSA company, to detect new attack vectors.
- Use DAST and other scanners to detect IDOR vulnerabilities. These tools generate automated alerts on identifying vulnerabilities in web applications through penetration testing. Engage with web application security auditors from notable global cybersecurity
- Report any vulnerabilities to the vendor or developer immediately.
- Always use a web application firewall to monitor, filter, and block malicious traffic towards web applications.
IDOR vulnerabilities need to be detected and remedied before they can cause data leaks, breaches, or reputational damage to organisations. The advisory and guidelines provided by the regulatory agencies should be implemented in letter and spirit to prevent the vulnerabilities from impacting your business. However, you can always reach out to an established and reputable IT security consulting company like Cybernetic Global Intelligence to do the job for you and save your organisation from the impact of data breaches.
To contact Cybernetic Global Intelligence, send an email to firstname.lastname@example.org or call 1300 292 376.