IDOR Attacks and the Growing Threat to Your API Security

A recent advisory has highlighted the increasing threat posed by IDOR vulnerabilities. In this article, we explain Insecure Direct Object Reference (IDOR) attacks, explore their rise, and examine how these vulnerabilities impact API security.

IDOR Attacks and the Growing Threat to Your API Security

IDOR Attacks: Common And Deadly

IDOR attacks, or Insecure Direct Object Reference (IDOR) attacks, are one of the most common and costly forms of API breach. In an IDOR attack, hackers directly reference internal objects in a web application that uses APIs1

IDOR attacks specific to APIs consist of 3 primary types of breaches:

  1. BOLA (Broken Object Level Authorization)
  2. BOPLA (Broken Object Property Level Authorization) attacks.
    The former uses a user ID while the latter a specific property of the ID (i.e.: their email address) to force unauthorized access.
  3. BFLA (Broken Functional Level Authorization)

These attacks all manipulate parameters within an API endpoint’s user or object ID (or similar), which can be as simple as changing numbers in a URL, to exchange the ID in the API call with another data record, like another user ID. 

Since applications should have authentication in place, bad actors need a valid user account to get in. Once inside, they exploit authorization vulnerabilities in application / business logic to access data and resources.

A basic overview of how IDOR attacks work.

The Rise of IDOR Attacks

At the end of July, a joint advisory from the Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) stated that IDOR/BOLA attacks are a key issue companies need to address2.

The updated OWASP API Top Ten for this year added broken authorization checks to its list due to the rising urgency of these kinds of attacks. This rapid rise in IDOR attacks can also be observed in FireTail’s Data Breach Tracker over the past 12 years3

Based on these trends, IDOR vulnerabilities are rapidly becoming one of the most important parts of API security. 

The advisory highlights the importance of implementing best practices for security-by-design principles in applications, such as secure coding practices, to protect against these attacks. 

An API security strategy must contain multiple layers, including API discovery and visibility, security policy assessment, runtime protection and a centralized audit trail to track API events and breaches continuously. 

Strong authorization checks are top priority in preventing IDOR vulnerabilities.

Overall, developers must be educated on IDOR/BOLA attacks, so they can keep up with the best security practices to prevent hackers from taking advantage of IDOR vulnerabilities. Otherwise, they leave their APIs open to a whole host of problems.

BFLA - similar to IDOR

Another key topic related to IDOR is BFLA - broken function-level authorization. Just as access to data needs to be authorized inside an application, access to various functions or function calls inside an application needs to be accessed. This is where APIs present a unique challenge, as APIs are commonly the access point to both data and functions. In fact, a recent massive-scale disclosure around APIs in the travel industry highlighted that a points and miles transfer function was vulnerable to unauthorized invocation4 

Costly Consequences

IDOR attacks can lead to sensitive information breaches, identity theft, and loss of finances as well as trust, which might never be regained. Once a group has experienced an IDOR breach, repairing the damage is a difficult if not impossible process.

IDOR vulnerabilities have already compromised sensitive information for millions of users and consumers5. In 2021, it was discovered that Peloton fitness APIs had endpoints that unauthenticated attackers could use to collect information on subscribers, including Joe Biden.

From that same year, the joint advisory cited multiple IDOR attacks, including the data breach involving "stalkerware" apps transferring harvested data including texts, emails, and even geo-locations to servers affected by an IDOR vulnerability6

Another devastating breach occurred back in 2019, when hackers used an IDOR vulnerability to expose The First American Financial Corp., releasing over 800 million personal financial files, including banking information7

And in 2017, the McDonalds app in India was breached, leaking information for over 2.2 million users8. McDonalds neglected to fix this, but the payment company Fallible brought it to public attention, after which McDonalds released a statement via twitter telling users what information was NOT leaked, in an attempt to soften the blow. 

These incidents are examples of how an IDOR vulnerability can be exploited to wreak havoc on unsuspecting customers.

About FireTail

FireTail engineered a hybrid approach to API security: an open source library that protects programmable interfaces with inline API call evaluation and blocking, cloud-based API security posture management, centralized audit trail, and detection and response capabilities. 

FireTail is the only company offering these capabilities together, ultimately helping organizations eliminate API vulnerabilities from their applications and providing runtime API protection.

FireTail is headquartered in Washington, DC, with additional offices in Dublin, Ireland and Helsinki, Finland. FireTail is backed by leading investors, including Paladin Capital, Zscaler, General Advance and SecureOctane.

FireTail. API Security.

Import, Setup, Done.


References

1-https://www.securitymagazine.com/articles/99693-security-leaders-discuss-cisa-advisory-of-idor-web-app-vulnerabilities

2-https://securityboulevard.com/2023/08/joint-advisory-warns-of-threat-from-idor-vulnerabilities/

3- https://www.firetail.io/api-data-breach-tracker

4-https://heimdalsecurity.com/blog/what-is-broken-object-level-authorization-bola/

5-https://www.darkreading.com/dr-tech/apis-need-to-locked-down-to-prevent-breaches

6-https://www.bleepingcomputer.com/news/security/cisa-warns-of-breach-risks-from-idor-web-app-vulnerabilities/

7-https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/

8-https://www.bankinfosecurity.com/blogs/mcshame-mcdonalds-api-leaks-data-on-22-million-p-2426