According to the US Cybersecurity and Infrastructure Security Agency, application and website developers have a lot to do with the current resurgence of personal data leaks and thefts.
CISA and its Australian counterpart released a joint report finding that personal data leaks are increasingly costly and frequent. “Millions of people’s personal, financial and medical information has been stolen through a particular type of website vulnerability,” they said. IDOR, or “Insecure Direct Object References”. This flaw is indeed very common, because on closer inspection, it is a very common pattern in the web of today.
The CISA takes the example of a fictitious site, through which the personal data of a user can be accessed by entering his identifier in the request parameters, in the URL address. Under the form, www.dangeroussite.com?id=USERIDENTIFIER. In theory, the whole part after “?id=” should be encrypted, so that no one knows the real user ID. In practice, this is not the case, and hackers steal data with this little bit of information seemingly innocuous.
According to the United States, developers are primarily responsible for data theft
According to US Cybersecurity authorities, this IDOR flaw is very common. Hackers take advantage of them because they are common, difficult to prevent outside of the development process, andthey can be exploited on a large scale […] These access control flaws therefore allow cybercriminals to modify, delete or access sensitive data by sending requests to a website or an API specifying the identification of other valid users. These requests are successful when proper authentication and authorization checks are not performed “.
Given the magnitude of the phenomenon, CISA is asking software publishers, designers, and developers to use automated code review tools such as Microsoft’s Security Copilot to identify IDORs and other vulnerabilities, as well as to use indirect references so as not to expose user identifiers and other resources. Above all, organizations are asked to carefully select software and services with whom they will work.