Security News > 2023 > July > Cybersecurity Agencies Warn Against IDOR Bugs Exploited for Data Breaches
Cybersecurity agencies in Australia and the U.S. have published a joint cybersecurity advisory warning against security flaws in web applications that could be exploited by malicious actors to orchestrate data breach incidents and steal confidential data.
A typical example of an IDOR flaw is the ability of a user to trivially change the URL to obtain unauthorized data of another transaction.
"IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface specifying the user identifier of other, valid users," the agencies said.
The authoring entities - the Australian Signals Directorate's Australian Cyber Security Centre, the U.S. Cybersecurity and Infrastructure Security Agency, and the U.S. National Security Agency - noted that such flaws are being abused by adversaries to compromise the personal, financial, and health information of millions of users and consumers.
To mitigate such threats, it's recommended that vendors, designers, and developers adopt secure-by-design and -default principles and ensure software performs authentication and authorization checks for every request that modifies, deletes, and accesses sensitive data.
"To guard against the successful Valid Accounts technique, critical infrastructure entities must implement strong password policies, such as phishing-resistant , and monitor access logs and network communication logs to detect abnormal access," CISA said.
News URL
https://thehackernews.com/2023/07/cybersecurity-agencies-warn-against.html