Cloud Security, Identity

Potential at-scale exploitation of IDOR vulnerabilities warned

The U.S. Cybersecurity and Infrastructure Security Agency and National Security Agency, as well as the Australian Cyber Security Centre have issued a joint advisory warning about the potential exploitation of insecure direct object reference vulnerabilities in websites and web apps to facilitate widespread data breaches, TechCrunch reports. Automated tools could be leveraged by threat actors to enable at-scale exploitation of IDOR flaws, which has already been done to compromise a major U.S. laboratory, a state government website, a state-backed health app, and a college contact-tracing app, according to the advisory. Threat actors have also used IDORs to expose millions of U.S. mortgage files and over a million vehicles' real-time location information. Authentication and authorization checks should be implemented across web apps to prevent IDORs, said CISA, which also recommended the use of secure-by-design software. "Secure-by-design is a fundamental theme in this advisory. Vendors and developers are encouraged to take appropriate steps to provide products that protect their customers sensitive data by design and default," said CISA Product Development Section Chief James Stanley.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.