Researchers on Friday reported that an insecure direct object reference (IDOR) vulnerability allowed for the reading and modifying of all user workouts on the cloud-based Wodify fitness platform.
IDORs are a type of access control vulnerability that happen when an application uses user-supplied data input to access objects directly.
In a blog post, Bishop Fox researchers said this access was not limited to a single entity, so it was possible to enumerate all entries and modify them. Once gaining access to modify, an attacker could insert malicious JavaScript payloads, leading to cross-site scripting (XSS). Attackers could also leverage this to hijack a user’s session, steal a hashed password, or the user’s JSON Web Token through the sensitive information disclosure vulnerability.
The researchers said a combination of all these vulnerabilities could have a severe business and reputational impact for Wodify, letting an authenticated user modify all their production data as well as extract sensitive personally identifiable information. While Wodify did finally make the fixes, it took some 180 days and much back and forth between Bishop Fox and Wodify to resolve the issue.
It’s no longer enough to ask if cloud infrastructure by itself runs securely, said Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber. Bar-Dayan said gone are the simple days of vulnerability remediation through patch management alone, adding that cloud-native application vulnerabilities are complex and can only get mitigated through holistic identification and analysis of interdependencies that exist within code, cloud, and traditional network infrastructure.
“This IDOR vulnerability affecting the Wodify app platform is a perfect example,” Bar-Dayan said. “Insufficient authorization controls provide the open back door, however, the real damage happens when other vulnerabilities are daisy-chained, XSS gets used, and PII and financial data is extracted. More must be done to identify and mitigate IDOR risk as the obvious key to the kingdom.”
Tim Wade, technical director of the CTO Team at Vectra, said the IDOR’s presence demonstrates a failure to adequately design or test web application authorization controls. Wade said essentially the web application was built to assume users will stay in their lane and only touch the data the web app suggests they should touch.
“Unfortunately, suggestions without consequences make for poor deterrents,” Wade said. “Organizations that hope to avoid this mistake will do well to align their application development and testing processes with guidance from a respected industry source like OWASP. In prior years, IDOR warranted its own treatment in the OWASP Top 10, but now falls under the more generalized Broken Access Control category.”