Heimdal
Home > Cybersecurity News

Eyes on IDOR Vulnerabilities! US and Australia Release Joint Advisory

Developers Are Encouraged to Implement the Secure-by-design Principle.

Last updated on August 2, 2023

article featured image

Contents:

Cybersecurity agencies in Australia and the U.S. issued an advisory that warns about security flaws in web applications that could result in large-scale data breaches.

The advisory refers to a certain sort of vulnerability called Insecure Direct Object Reference (IDOR). IDOR is a variety of access control bugs that surface when user-supplied input is used without additional validation. The flaws enable threat actors to issue requests to websites or APIs without authentication.

What Is at Risk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. National Security Agency (NSA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) stated that:

These vulnerabilities are common and hard to prevent outside the development process since each use case is unique and cannot be mitigated with a simple library or security function. Additionally, malicious actors can detect and exploit them at scale using automated tools.

IDOR vulnerabilities were already leveraged to expose the personal, financial, and health data of millions of people. Hackers used them to data breach governmental institutions, healthcare, educational organizations, and financial companies, to name just a few.

Recommended Safety Measures

As a result, CISA and ACSC ask vendors and developers to implement the secure-by-design and -default principles. They should make sure the software they produce secure-by-design or sell performs authentication and authorization checks for the queries that access, change, or delete sensitive data.

The advisory recommends using:

  • automated tools for code review
  • indirect reference maps to prevent IDs, names, and keys from being exposed in URLs
  • only extremely carefully selected third-party libraries or frameworks they must incorporate into their apps

According to the advisory, all end-user organizations should take very seriously applying patches in a timely manner.

The cybersecurity agencies also recommend companies using on-premises software, or private cloud models to regularly perform vulnerability scanning and penetration testing.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

Related Articles

Automated Patch Management Explained: Definition, Benefits, Best Practices & MoreWhat Is Vulnerability Scanning: Definition, Types, Best PracticesIn Response to Widespread Attacks Heimdal Offers Free Ransomware Protection to NHS TrustsWhat Is API Security?The Anatomy of PTaaS: What Is Penetration Testing as a ServiceWhat Is a Data Breach and How to Prevent It

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V