← Back to context

Comment by Daviey

7 days ago

Perhaps I'm being overly cynical, but I'm struggling to see how this qualifies as an IDOR in the strict sense. While using UUIDs might reduce guessability, the real issue here is weak authentication, not insecure direct object references.

OWASP defines an IDOR as "an access control vulnerability that occurs when an application uses user-supplied input to access objects directly… without verifying the user is authorized for the target object" (OWASP Top 10 2021 – A01: Broken Access Control). But in this case, access to highly privileged internal functionality was granted simply by logging in with default credentials, no authorization bypass was needed because authentication was effectively absent.

This aligns more closely with CWE-1390: "Use of Default Credentials" and CWE-306: "Missing Authentication for Critical Function." The attacker was able to log in as a privileged user due to trivial credentials, and the lack of multi-factor authentication (MFA) further compounded the issue. Had MFA been implemented, or default credentials disabled, the ID enumeration would have been irrelevant. That makes it clear the real vulnerability lies in the authentication mechanism and not in how object references were structured.

3 comments

Daviey

Reply
justusthane  6 days ago

> Had MFA been implemented, or default credentials disabled, the ID enumeration would have been irrelevant

Not really? The vulnerability might not have been discovered if that was the case, but it doesn’t change the fact that anyone who has access to the system can gain access to all of the data in the system, right?

  • Daviey  6 days ago

    Perhaps I misunderstood, but I read it that the account they got access to was a highly privileged account, which did have general access to all data.

    The report didn't make it clear to me if an unauthorised user, or an account with low privilege can still access data they otherwise should not have access to.

    If this is true, then I agree it is an IDOR, but I read it as they had access because of their current context.

    • justusthane  5 days ago

      > It turned out we had become the administrator of a test restaurant inside the McHire system.

      I don’t think you would expect the administrator of a single restaurant to have access to the data of all 64M applicants globally