Subj : Millions of users have personal info stolen due to this simple we To : All From : TechnologyDaily Date : Mon Jul 31 2023 12:15:03 Millions of users have personal info stolen due to this simple website access error Date: Mon, 31 Jul 2023 10:59:11 +0000 Description: IDORs are becoming a major problem and CISA is sounding the alarm. FULL STORY ====================================================================== Sensitive information belonging to millions of people is being stolen from various websites and web apps all across the Internet every day, experts have warned. The common denominator in all these incidents appears to be the existence of insecure direct object references (IDOR). These are flaws that allow people to request sensitive information from a website or web app, without the site checking if the user is allowed to access such information in the first place. Now, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm on IDORs, in a joint security bulletin published with the Australian Cyber Security Centre. Common flaws In its announcement, CISA notes that hackers are frequently taking advantage of IDOR flaws "because they are common, hard to prevent outside the development process, and can be abused at scale." "Typically, these vulnerabilities exist because an object identifier is exposed, passed externally, or easily guessedallowing any user to use or modify the identifier," CISA said. Read more > This serious Microsoft Teams security flaw could let external accounts infect your calls, so beware > Hackers can crack smart garage doors due to this embarrassing security flaw > These are the best malware removal tools right now The consequences of these attacks can be quite painful, as they allow threat actors to steal sensitive data such as financial information, health data, or personal files. This includes incidents such as the 2019 First American Financial security breach (800 million personal files stolen), the Microsoft Teams IDOR flaw discovered in late June 2023, and the two IDOR bugs in Nexx smart home devices found in April 2023. Web developers should step up, CISA then states, and implement secure-by-design principles at each step of the development process. That includes incorporating automated code analysis tools that can spot flaws in the code before the apps ever reach the production stage. The two organizations also said developers should set up applications to deny access by default to make sure the apps perform authentication checks every time someone asks to access or modify any type of sensitive data. Check out the best firewalls today Via: The Register ====================================================================== Link to news story: https://www.techradar.com/pro/millions-of-users-have-personal-info-stolen-due- to-this-simple-website-access-error --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .