The Indian Computer Emergency Response Team (CERT-In), recently, said that it has observed an increase in exploitation of insecure direct object reference (IDOR) vulnerability in the Indian cyberspace.
The exploitation of this vulnerability can lead to unauthorised access to data, resulting in potential data breach.
"IDORs can have serious consequences for cyber security and be very hard to find, though exploiting them can be as simple as manually changing a URL parameter," CERT-In said.
But what is IDOR, and why is India's nodal agency for cybersecurity worried about that? Let us take a look!
What is an IDOR vulnerability?
An Insecure Direct Object Reference (IDOR) is a cybersecurity vulnerability that allows attackers to access unauthorised data by manipulating URL or form parameters.
For example, if a URL contains something like /user/123 to show your account info, an attacker could change it to /user/456 and see another user’s info if the system doesn’t check for proper permissions.
CERT-In said that IDOR vulnerabilities are easy for attackers to exploit but difficult for developers to detect.
What leads to an IDOR vulnerability?
An IDOR vulnerability can happen, if firstly, the application directly references an internal resource, such as a file or database entry. Secondly, if a user can manipulate parameters by changing URLS to access other data. And lastly, it can also take place if the application does not check if the user has permission to access the modified resource.
In essence, IDOR vulnerabilities are easy for attackers to exploit but difficult for developers to detect. For example, if a user is supposed to access only their data but can change a URL parameter to access someone else’s data, that’s an IDOR vulnerability.
What are some of the examples of IDOR vulnerability exploitation?
Recently, it was found that was found that a simple Google search -- "index of Aadhaar card" -- returned results, which listed out websites that were hosting citizens' Aadhaar details. One can simply click on these websites to access complete details of citizens' Aadhaar.
This happened as a result of an IDOR vulnerability. Moneycontrol was the first to report that Unique Identification Authority of India and CERT-In were probing into the matter.
In 2013, a security researcher discovered that Facebook allowed unauthorised users to view private photos by manipulating photo IDs in URLs. In 2019, another IDOR flaw allowed unauthorised access to private user posts by altering URL parameters.
What are CERT-In's recommendations on this?
CERT-In recommends several key steps to prevent IDOR vulnerabilities. First, instead of showing direct IDs in URLs, applications should use random codes or secure tokens to make data harder to guess.
The agency also said that security checks should be performed on the server side rather than relying on the user’s device. Limiting access attempts and keeping detailed logs can help detect suspicious activity early on.
Finally, the agency recommended regular security tests and audits to identify any weaknesses before they can be exploited.
Why is IDOR prevention important?
CERT-In said that organisations can face severe impacts from IDOR vulnerabilities, including loss of customer trust, regulatory non-compliance, and potential fines. It emphasised building a robust access control system, regular audits, and secure development practices to safeguard applications from such attacks.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
