Miscreants are exploiting insecure direct object references (IDORs) to abuse websites or web application APIs, a joint US-Australia advisory has warned.
The advisory was published Friday by the Australian Cyber Security Centre (ACSC) and US partners, the National Security Agency (NSA) and the Cyber and Infrastructure Security Agency (CISA).
The advisory explains the vulnerabilities have been exploited to compromise the “personal, financial and health information of millions of users and consumers”.
IDOR vulnerabilities allow attackers to issue requests “to a website or a web application programming interface (API) specifying the user identifier of other, valid users,” the advisory states.
“These requests succeed where there is a failure to perform adequate authentication and authorisation checks.”
Such vulnerabilities, the advisory warns, are “common, hard to prevent outside the development process, and can be abused at scale”.
In such bugs, an application or API uses an identifier such as user ID to access objects such as database records, without checking the authorisation of the user submitting the request.
This, the advisory said, gives rise to a variety of abuses: horizontal vulnerabilities (one user accesses the data of another user at the same privilege level); vertical vulnerabilities (the attacker escalates their privilege); object-level, meaning a user can improperly modify or delete objects; and function-level vulnerabilities, where a user improperly accesses a function or action.
The advisory nominated data breaches from 2012 (a US communications provider), 2019 (US financial sector) and 2021 (a global company), as examples.
While neither organisation has confirmed this, the Optus and Medicare data breaches of 2022 are widely attributed to weakly-protected APIs.
About Author
