Insecure direct object references (IDOR): Risks, examples, and prevention

Overview

An attacker might access another user's account if the app uses predictable references to user data. Insecure direct object references (IDOR) occur when an application provides direct access to objects based on user-supplied input, without properly validating whether the user is authorized to access that resource. These references often come in the form of predictable IDs or database keys. If the application doesn't properly check permissions, an attacker can manipulate these references to access resources that belong to other users.

Risk factors

IDOR can arise in these conditions:

• Using sequential or easily guessable references (e.g., user ID numbers like 123, 124, 125) can make it easy for attackers to access unauthorized data.
• If the application doesn’t check whether the user has permission to access a specific resource after receiving the reference, it leaves the app vulnerable.
• Not encrypting references when they are transmitted across the network makes it easier for attackers to intercept and manipulate them.

Consequences

If an IDOR vulnerability is exploited, the following can happen:

• Unauthorized account access: Attackers could gain access to other users’ accounts, allowing them to view or modify sensitive information.
• Data leakage: Confidential user data could be exposed to attackers, who could then sell or misuse it.
• Reputation damage: Successful IDOR attacks often lead to major data breaches, damaging the app provider’s reputation and leading to loss of user trust.
• Legal and regulatory consequences: In cases where personal data is exposed, the company could face hefty fines under regulations like GDPR or CCPA.

Solutions and best practices

To mitigate the risks associated with IDOR, organizations should implement the following security measures:

• Access control: Always enforce strict access control by ensuring that every request to access a resource is properly authenticated and authorized.
• Object reference mapping: Use indirect references (e.g., hashed values) rather than predictable ones to make it harder for attackers to guess object identifiers.
• Input validation: Validate user input rigorously to prevent manipulation of object references.
• Monitoring: Set up comprehensive logging and monitoring to detect suspicious access patterns, such as multiple sequential resource access attempts by a single user.
• App shielding: App shielding techniques, such as tampering detection and encrypted reference tokens, can help reduce the risk of IDOR vulnerabilities by making it more difficult for attackers to manipulate object references.
  
  

Further reading

• Mobile app ROI: Measuring the cost of insecure mobile apps
• Debunking iOS app encryption: How extensive is it really?
• Addressing the OWASP Mobile Top 10 (2024)