Skip to main content

US, Australia cyber agencies warn IDOR security flaws can be exploited ‘at scale’

U.S. and Australian government cybersecurity agencies are warning that common and easily exploitable security vulnerabilities in websites and web apps can be abused to carry out large-scale data breaches.

In a joint advisory published Thursday, U.S. cybersecurity agency CISA, the National Security Agency and the Australian Cyber Security Centre said that the vulnerabilities, known as insecure direct object references (IDORs), allow malicious hackers to access or modify sensitive data on an organization’s servers because of a lack of proper security checks.

An IDOR vulnerability is like having a key to your mailbox, but that key also allows you to unlock every other mailbox on your street. IDORs can be particularly problematic because, like a row of mailboxes, a bad actor can exploit them sequentially one after the other and access data that they should not be allowed to.

Because these vulnerabilities can often be exploited by enumeration, IDORs can be abused “at scale” using automated tools, the advisory warns.

“While there have been prior open source reports on insecure direct object reference (IDOR) vulnerabilities in web applications, CISA and our partners at the Australian Cyber Security Centre and National Security Agency realized this is a major flaw with too little recognition or understanding within the cyber community. Today’s joint advisory is the first significant advisory on this subject to help organizations protect sensitive data in their systems and push vendors to reduce prevalence of IDOR vulnerabilities and flaws,” James Stanley, CISA Product Development Section Chief, told TechCrunch.

The joint advisory notes that IDORs have resulted in major data breaches in the United States and overseas.

In recent years, IDORs have resulted in the exposure of thousands of medical documents by a U.S. laboratory giant, a state government website that spilled thousands of taxpayers’ personal information, a college contact-tracing app that leaked COVID-19 vaccination status and a state-backed health app that allowed access to other people’s vaccination data. IDORs also resulted in the mass data spill of hundreds of millions of U.S. mortgage documents, the exposure of the real-time location data of more than a million vehicles from a flawed GPS tracker and the leak of hundreds of thousands of people’s private phone data stolen by a global stalkerware network.

The joint advisory says developers should ensure their web apps perform authentication and authorization checks to reduce IDORs, and that software is secure-by-design, a principle promoted by CISA that urges software makers to bake-in security from the beginning and throughout the software development process.

“Secure-by-design is a fundamental theme in this advisory. Vendors and developers are encouraged to take appropriate steps to provide products that protect their customers’ sensitive data by design and default,” said CISA’s Stanley.

Australia’s cyber agency said it continues to observe malicious actors exploiting misconfigured networks.

“Even a single breach using IDOR vulnerabilities can have a national impact. A malicious actor being able to exfiltrate data could impact critical infrastructure, businesses, government and individuals,” said Patrick Holmes with the Australian Cyber Security Centre.



from TechCrunch https://ift.tt/gWxbUQE
via IFTTT

Comments

Popular posts from this blog

The Silent Revolution of On-Device AI: Why the Cloud Is No Longer King

Introduction For years, artificial intelligence has meant one thing: the cloud. Whether you’re asking ChatGPT a question, editing a photo with AI tools, or getting recommendations on Netflix — those decisions happen on distant servers, not your device. But that’s changing. Thanks to major advances in silicon, model compression, and memory architecture, AI is quietly migrating from giant data centres to the palm of your hand. Your phone, your laptop, your smartwatch — all are becoming AI engines in their own right. It’s a shift that redefines not just how AI works, but who controls it, how private it is, and what it can do for you. This article explores the rise of on-device AI — how it works, why it matters, and why the cloud’s days as the centre of the AI universe might be numbered. What Is On-Device AI? On-device AI refers to machine learning models that run locally on your smartphone, tablet, laptop, or edge device — without needing constant access to the cloud. In practi...

Apple’s AI Push: Everything We Know About Apple Intelligence So Far

Apple’s WWDC 2025 confirmed what many suspected: Apple is finally making a serious leap into artificial intelligence. Dubbed “Apple Intelligence,” the suite of AI-powered tools, enhancements, and integrations marks the company’s biggest software evolution in a decade. But unlike competitors racing to plug AI into everything, Apple is taking a slower, more deliberate approach — one rooted in privacy, on-device processing, and ecosystem synergy. If you’re wondering what Apple Intelligence actually is, how it works, and what it means for your iPhone, iPad, or Mac, you’re in the right place. This article breaks it all down.   What Is Apple Intelligence? Let’s get the terminology clear first. Apple Intelligence isn’t a product — it’s a platform. It’s not just a chatbot. It’s a system-wide integration of generative AI, machine learning, and personal context awareness, embedded across Apple’s OS platforms. Think of it as a foundational AI layer stitched into iOS 18, iPadOS 18, and m...

Max Q: Psyche(d)

In this issue: SpaceX launches NASA asteroid mission, news from Relativity Space and more. © 2023 TechCrunch. All rights reserved. For personal use only. from TechCrunch https://ift.tt/h6Kjrde via IFTTT