Millions of users have personal info stolen due to this simple website access error

CISA sounds the alarm on IDORs as a major security problem

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Sensitive information belonging to millions of people is being stolen from various websites and web apps all across the Internet every day, experts have warned.

The common denominator in all these incidents appears to be the existence of insecure direct object references (IDOR). These are flaws that allow people to request sensitive information from a website or web app, without the site checking if the user is allowed to access such information in the first place.

Now, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm on IDORs, in ajoint security bulletinpublished with the Australian Cyber Security Centre.

Common flaws

In its announcement, CISA notes that hackers are “frequently” taking advantage of IDOR flaws “because they are common, hard to prevent outside the development process, and can be abused at scale.”

“Typically, these vulnerabilities exist because an object identifier is exposed, passed externally, or easily guessed—allowing any user to use or modify the identifier,” CISA said.

This serious Microsoft Teams security flaw could let external accounts infect your calls, so beware>Hackers can crack smart garage doors due to this embarrassing security flaw>These are the best malware removal tools right now

The consequences of these attacks can be quite painful, as they allow threat actors to stealsensitive datasuch as financial information, health data, or personal files.

This includes incidents such as the 2019 First American Financial security breach (800 million personal files stolen), theMicrosoftTeams IDOR flaw discovered in late June 2023, and the two IDOR bugs in Nexx smart home devices found in April 2023.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Web developers should step up, CISA then states, and implement secure-by-design principles at each step of the development process. That includes incorporating automated code analysis tools that can spot flaws in the code before the apps ever reach the production stage.

The two organizations also said developers should set up applications “to deny access by default” to make sure the apps perform authentication checks every time someone asks to access or modify any type of sensitive data.

Via:The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Best lightweight Linux distro of 2024

Researchers who uncover security flaws set to get extra protection in Germany with new law

Best secure file transfer solution of 2024