Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Millions of users have personal info stolen due to this simple website access error

security

Sensitive information belonging to millions of people is being stolen from various websites and web apps all across the Internet every day, experts have warned. 

The common denominator in all these incidents appears to be the existence of insecure direct object references (IDOR). These are flaws that allow people to request sensitive information from a website or web app, without the site checking if the user is allowed to access such information in the first place.

Now, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm on IDORs, in a joint security bulletin published with the Australian Cyber Security Centre.

Common flaws

In its announcement, CISA notes that hackers are “frequently” taking advantage of IDOR flaws "because they are common, hard to prevent outside the development process, and can be abused at scale."

"Typically, these vulnerabilities exist because an object identifier is exposed, passed externally, or easily guessed—allowing any user to use or modify the identifier," CISA said.

The consequences of these attacks can be quite painful, as they allow threat actors to steal sensitive data such as financial information, health data, or personal files.

This includes incidents such as the 2019 First American Financial security breach (800 million personal files stolen), the Microsoft Teams IDOR flaw discovered in late June 2023, and the two IDOR bugs in Nexx smart home devices found in April 2023. 

Web developers should step up, CISA then states, and implement secure-by-design principles at each step of the development process. That includes incorporating automated code analysis tools that can spot flaws in the code before the apps ever reach the production stage. 

The two organizations also said developers should set up applications “to deny access by default” to make sure the apps perform authentication checks every time someone asks to access or modify any type of sensitive data.

Via: The Register

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.