Millions of people's data stolen because web devs forget to check access perms

2023-07-29 00:09

They essentially occur when a web app or a web API backend doesn't properly check that a user is actually allowed to access some info from a database or some other resource.

More specifically, IDOR bugs can occur when access is granted to stuff on the basis of the user's input, rather than from looking up that person's access rights.

Ideally the web app should only show transactions belonging to the logged-in user, but if it just blindly accepts any given id number and displays the corresponding transaction for whoever is logged in, that's an IDOR. Someone could just try out the full range of IDs or selected ones, and see other people's transaction details, which will presumably contain personal and private information.

To help prevent data breaches due to IDOR bugs, the agencies suggest that vendors and web app developers implement secure-by-design principles at each stage of the software development process.

This one deserves a shout out: "Configure applications to deny access by default and ensure the application performs authentication and authorization checks for every request to modify data, delete data, and access sensitive data."

For end-user orgs deploying on-premises software, infrastructure-as-a-service, or private cloud models, the agencies recommend reviewing authentication and authorization checks in any web apps that enable access to, or modification of, sensitive data.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/07/29/cisa_nsa_idor_australia/

#devs #WEB