Millions of users have personal info stolen due to this simple website access error

(Image credit: Shutterstock / binarydesign)

Sensitive information belonging to millions of people is being stolen from various websites and web apps all across the Internet every day, experts have warned. 

The common denominator in all these incidents appears to be the existence of insecure direct object references (IDOR). These are flaws that allow people to request sensitive information from a website or web app, without the site checking if the user is allowed to access such information in the first place.

Now, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm on IDORs, in a joint security bulletin published with the Australian Cyber Security Centre.

Common flaws

In its announcement, CISA notes that hackers are “frequently” taking advantage of IDOR flaws "because they are common, hard to prevent outside the development process, and can be abused at scale."

"Typically, these vulnerabilities exist because an object identifier is exposed, passed externally, or easily guessed—allowing any user to use or modify the identifier," CISA said.

The consequences of these attacks can be quite painful, as they allow threat actors to steal sensitive data such as financial information, health data, or personal files.

This includes incidents such as the 2019 First American Financial security breach (800 million personal files stolen), the Microsoft Teams IDOR flaw discovered in late June 2023, and the two IDOR bugs in Nexx smart home devices found in April 2023. 

Web developers should step up, CISA then states, and implement secure-by-design principles at each step of the development process. That includes incorporating automated code analysis tools that can spot flaws in the code before the apps ever reach the production stage. 

The two organizations also said developers should set up applications “to deny access by default” to make sure the apps perform authentication checks every time someone asks to access or modify any type of sensitive data.

Via: The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.