These are easy to predict or reverse generate.Įxample of good ID design: Google’s private doc’s public URL (The highlighted ID is tough to guess or predict). Never ever use sequential numbers and weak random string generators. Also, it requires much less work on their part, as they don’t have to sign-up for the service or steal a customer or employee credentials to perpetuate the breach. If the above URL were public or non-protected, which means it doesn’t require any authentication, then this would have allowed hackers to download all the data without leaving any digital fingerprints. That means it was easy to guess document Ids for the entire 885 million records. The only time this design becomes an easy pray is if the URLs are guessable or predictable and in First American Financial’s case, it seems the product had sequential or number-based document ids. The IDOR is a common design practice across the industry to solve some common problems, for example, Google Docs, Dropbox they all use this design to allow users to share private documents by just sharing the auto-generated non-guessable document URLs. Once the hackers identify endpoints with critical data, the next steps are to look for the exploits. This endpoint is more important to hackers than let’s say “/locations”, or “/products” endpoints which are mostly public information and exploiting or accessing this data will have very little financial gains. It may contain sensitive and financial information since the First American Financial is a financial company. The above URL suggests that it’s a document endpoint. Exploit Rule #1: Hackers are looking for monetizable data like customer names, emails, addresses, company names, credit cards, transactions, orders, financial records, etc unless if the intention is to disrupt your business. A common vulnerability that can existacross multiple endpoints. The simplified version hopes to educate and help security and engineering leadership avoid the same mistakes. Note: This series aims to analyze and simplify breach and vulnerability reports that are usually cryptic and mostly written by legal.
0 Comments
Leave a Reply. |