Web applications are at risk of cyber attacks due to vulnerabilities in the access control system, according to safety agencies in Australia and the USA. In a joint statement, they have highlighted the threat posed by Insecure Direct Object Reference (IDOR) vulnerabilities, which enable unauthorized access, modification, or deletion of other people’s data.
An IDOR vulnerability occurs when a web application uses the user’s input data or identifier to directly access internal resources, such as database entries, without conducting additional checks. A classic example of an IDOR vulnerability is when a user can easily modify the URL to access different resources.
The joint statement explains that “IDOR vulnerabilities refer to access control vulnerabilities that allow attackers to modify or delete data or gain unauthorized access to sensitive information by submitting requests to a website or program interface (API) using identifiers of other legitimate users. These requests succeed when there is insufficient authentication and authorization testing.”
The statement, issued by the Australian Cybersecurity Centre (ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and the US National Security Agency (NSA), emphasizes that attackers exploit these weaknesses to compromise the personal, financial, and medical data of millions of users and consumers.
To mitigate these threats, the statement recommends that software suppliers, designers, and developers adopt the principles of “Security-by-Design and by-Default,” ensuring that their software conducts thorough authentication and authorization checks for each request that alters or accesses sensitive data.
This announcement comes shortly after CISA published its analysis of risk and vulnerability assessments conducted in various federal agencies, as well as critical infrastructure operators in the private and public sectors. According to the study, real accounts were the most common successful attack technique, followed by targeted phishing campaigns and exploitation of external remote services.