Skip to main content

US, Australia cyber agencies warn IDOR security flaws can be exploited ‘at scale’

U.S. and Australian government cybersecurity agencies are warning that common and easily exploitable security vulnerabilities in websites and web apps can be abused to carry out large-scale data breaches.

In a joint advisory published Thursday, U.S. cybersecurity agency CISA, the National Security Agency and the Australian Cyber Security Centre said that the vulnerabilities, known as insecure direct object references (IDORs), allow malicious hackers to access or modify sensitive data on an organization’s servers because of a lack of proper security checks.

An IDOR vulnerability is like having a key to your mailbox, but that key also allows you to unlock every other mailbox on your street. IDORs can be particularly problematic because, like a row of mailboxes, a bad actor can exploit them sequentially one after the other and access data that they should not be allowed to.

Because these vulnerabilities can often be exploited by enumeration, IDORs can be abused “at scale” using automated tools, the advisory warns.

“While there have been prior open source reports on insecure direct object reference (IDOR) vulnerabilities in web applications, CISA and our partners at the Australian Cyber Security Centre and National Security Agency realized this is a major flaw with too little recognition or understanding within the cyber community. Today’s joint advisory is the first significant advisory on this subject to help organizations protect sensitive data in their systems and push vendors to reduce prevalence of IDOR vulnerabilities and flaws,” James Stanley, CISA Product Development Section Chief, told TechCrunch.

The joint advisory notes that IDORs have resulted in major data breaches in the United States and overseas.

In recent years, IDORs have resulted in the exposure of thousands of medical documents by a U.S. laboratory giant, a state government website that spilled thousands of taxpayers’ personal information, a college contact-tracing app that leaked COVID-19 vaccination status and a state-backed health app that allowed access to other people’s vaccination data. IDORs also resulted in the mass data spill of hundreds of millions of U.S. mortgage documents, the exposure of the real-time location data of more than a million vehicles from a flawed GPS tracker and the leak of hundreds of thousands of people’s private phone data stolen by a global stalkerware network.

The joint advisory says developers should ensure their web apps perform authentication and authorization checks to reduce IDORs, and that software is secure-by-design, a principle promoted by CISA that urges software makers to bake-in security from the beginning and throughout the software development process.

“Secure-by-design is a fundamental theme in this advisory. Vendors and developers are encouraged to take appropriate steps to provide products that protect their customers’ sensitive data by design and default,” said CISA’s Stanley.

Australia’s cyber agency said it continues to observe malicious actors exploiting misconfigured networks.

“Even a single breach using IDOR vulnerabilities can have a national impact. A malicious actor being able to exfiltrate data could impact critical infrastructure, businesses, government and individuals,” said Patrick Holmes with the Australian Cyber Security Centre.

Fake passports, real bank accounts: How TheTruthSpy stalkerware made its millions



source https://techcrunch.com/2023/07/27/cisa-nsa-australia-idor-flaws/

Comments

Post a Comment

Popular posts from this blog

Max Q: Psyche(d)

In this issue: SpaceX launches NASA asteroid mission, news from Relativity Space and more. © 2023 TechCrunch. All rights reserved. For personal use only. from TechCrunch https://ift.tt/h6Kjrde via IFTTT
Post a Comment
Read more

Max Q: Anomalous

Hello and welcome back to Max Q! Last week wasn’t the most successful for spaceflight missions. We’ll get into that a bit more below. In this issue: First up, a botched launch from Virgin Orbit… …followed by one from ABL Space Systems News from Rocket Lab, World View and more Virgin Orbit’s botched launch highlights shaky financial future After Virgin Orbit’s launch failure last Monday, during which the mission experienced an  “anomaly” that prevented the rocket from reaching orbit, I went back over the company’s financials — and things aren’t looking good. For Virgin Orbit, this year has likely been completely turned on its head. The company was aiming for three launches this year, but everything will remain grounded until the cause of the anomaly has been identified and resolved. It’s unclear how long that will take, but likely at least three months. Add this delay to Virgin’s dwindling cash reserves and you have a foundation that’s suddenly much shakier than before. ...
Post a Comment
Read more

What’s Stripe’s deal?

Welcome to  The Interchange ! If you received this in your inbox, thank you for signing up and your vote of confidence. If you’re reading this as a post on our site, sign up  here  so you can receive it directly in the future. Every week, I’ll take a look at the hottest fintech news of the previous week. This will include everything from funding rounds to trends to an analysis of a particular space to hot takes on a particular company or phenomenon. There’s a lot of fintech news out there and it’s my job to stay on top of it — and make sense of it — so you can stay in the know. —  Mary Ann Stripe eyes exit, reportedly tried raising at a lower valuation The big news in fintech this week revolved around payments giant Stripe . On January 26, my Equity Podcast co-host and overall amazingly talented reporter Natasha Mascarenhas and I teamed up to write about how Stripe had set a 12-month deadline for itself to go public, either through a direct listing or by pursuin...
Post a Comment
Read more