The Indian Computer Emergency Response Team (CERT-In) has reported an increase in a specific type of exploitation occurring in Indian cyberspace. This attack is related to the Insecure Direct Object Reference (IDOR) vulnerability, which allows unauthorised access to data. According to CERT-In, IDOR vulnerabilities are challenging to detect but can be easily exploited by attackers. Here’s everything you need to know about Insecure Direct Object Reference vulnerabilities and why they pose a significant concern.
What is the Insecure Direct Object Reference vulnerability?
Insecure Direct Object Reference (IDOR) is a significant cybersecurity vulnerability that enables attackers to gain unauthorised access to sensitive data by altering URL or form parameters. For instance, if a URL is structured as /user/123 to display account information, an attacker might manipulate it to /user/456, potentially viewing another user's information, provided the system lacks sufficient permission checks.
According to CERT-In, while IDOR vulnerabilities are relatively simple for attackers to exploit, they can be challenging for developers to identify and remediate.
How can it occur?
An Insecure Direct Object Reference (IDOR) vulnerability occurs when an application directly links to an internal resource, such as a file or database entry. This type of vulnerability arises primarily when a user is able to manipulate parameters—often through altering URLs—to gain access to unauthorised data. Additionally, IDOR vulnerabilities manifest in scenarios where the application fails to verify whether a user has the appropriate permissions to access the modified resource.
For instance, if a user is intended to access only their own data but can adjust a URL parameter to view another individual's information, this constitutes an IDOR vulnerability.
A recent example of this issue was highlighted when a simple Google search for "index of Aadhaar card" yielded results that listed websites hosting the personal details of citizens' Aadhaar cards. This allows individuals to click on these links and potentially access complete information related to others' Aadhaar cards, demonstrating the serious implications of IDOR vulnerabilities in real-world scenarios.
What CERT-In recommends?
CERT-In emphasises the importance of taking several proactive measures to mitigate the risk of IDOR (Insecure Direct Object References) vulnerabilities. One essential step is to avoid using predictable IDs in URLs; instead, applications should implement random codes or secure tokens to enhance data security and make it more challenging for potential attackers to guess sensitive information.
Additionally, the agency stresses the necessity of conducting security checks on the server side rather than relying on the user's device. This approach helps ensure tighter control over access. Moreover, limiting the number of access attempts and maintaining detailed logs can be instrumental in early detection of any suspicious activities.
Lastly, CERT-In encourages organisations to perform regular security tests and audits. These evaluations are crucial for identifying any vulnerabilities before they can be exploited, thereby strengthening the overall security posture of applications.
ALSO READ: Meta's new tool will automatically restrict teen Instagram accounts: Why it matters