Insecure Direct Object Reference (IDOR) Flaws Under the Spotlight - Cybersecurity Agencies Raise Alarm

According to Shekhar Menkudale , Analyst at QKS Group To protect against the prevalent "Valid Accounts" technique, critical infrastructure entities should enforce robust password policies and use phishing-resistant multi-factor authentication. Close monitoring of access and network logs helps detect abnormal access attempts. By taking proactive measures, organizations can create a safer digital environment for all users.

Australia and the U.S. cybersecurity agencies have jointly warned about web application security vulnerabilities. These flaws, known as Insecure Direct Object Reference (IDOR), can be exploited by malicious individuals to conduct data breaches and steal sensitive information.

IDOR occurs when an application allows direct access to internal resources, like database records, without proper validation. An example of an IDOR flaw is when a user can easily modify the URL (e.g., https://example[.]site/details.php?id=12345) to access data from another transaction without authorization (i.e., https://example[.]site/details.php?id=67890).

The agencies stated that “IDOR vulnerabilities allow malicious actors to change, delete, or access sensitive data by sending requests to a website or web application API, using the user identifier of legitimate users”. Lack of proper authentication and authorization checks leads to the success of these fraudulent requests.

The organizations responsible for the advisory - the Australian Signals Directorate's Australian Cyber Security Centre (ACSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. National Security Agency (NSA) - highlighted that malicious actors are exploiting these vulnerabilities to compromise the personal, financial, and health data of millions of users and consumers.

The research highlights "Valid Accounts" as the most prevalent successful attack technique, followed by spear-phishing links, spear-phishing attachments, external remote services, and drive-by compromises.

CISA advised critical infrastructure entities to protect against the successful Valid Accounts technique by enforcing robust password policies, utilizing phishing-resistant multi-factor authentication, and closely monitoring access logs and network communication logs to identify any unusual access attempts.

In conclusion, the joint warning emphasizes the urgency of addressing web application vulnerabilities, particularly IDOR flaws. Malicious actors are exploiting these weaknesses to execute data breaches, posing significant risks to users and consumers. To counter these threats, vendors, and developers must prioritize secure design and implement strong authentication and authorization checks for sensitive data requests. Removing former employees and default administrator accounts is crucial.