Imagine a very shiny summer day, where you just woke up in the early morning, picked up your phone and just discovered that “X” company has sent you a promotional message, “Hey! We're offering you … at 50% discount”. If you are a tech guy or a hacker, your mind won’t be focused on the offer or that message, although you could be thinking how that company got my number!

For most people, the focus would be on the exciting discount. But if you're a tech enthusiast or a hacker, your mind takes a different turn. Instead of the offer, a question gnaws at you: "How did this company get my number?"

As you sip your morning coffee, your curiosity deepens. You start thinking about the countless ways your personal information could have been exposed. Was it through a data breach at some point? Did an app you use to sell your data? The digital world is a complex web of interactions, and somewhere along the line, your phone number became a part of that web.

The digital world is a complicated network of interactions, and your phone number eventually became a part of it. This scenario is not merely a hypothetical thought experiment. It's a fact that highlights the widespread and often unnoticed impact of data breaches. In "Navigating Data Breaches: Attack Methods and Mitigation," I will discuss my experience with the latest data breach, how hackers exploit vulnerabilities to obtain access to personal information, and what efforts may be taken to prevent such incursions.

One day, I woke up and was scrolling through my Facebook timeline when a post caught my eye.. It was posted by one of my OSINT expert seniors. The post was about a data breach of the company “Redact” which was sold by the hackers into Breach Forum. I was astonished because I was also a user of that company and realized that, My information was also in that auction :) (pretty cool yeah? LOL)

‍Navigating the Data Breach: How Happened? 

As a security researcher, the temptation to test the web app of a "Redact" company and uncover the potential vulnerability responsible for their data breach was irresistible to me. So, sit back and keep reading. You'll be amazed at how a simple vulnerability can lead to a massive data breach for a company!While navigating through the website, one particular page caught my attention: the "Order Tracking" page. This section prompted users to input their consignment or tracking ID, promising to display the current status of their order.

After discovering the field, I decided to test it by entering a random digit, hoping to uncover something interesting. However, my attempt yielded no valuable data. (Cue the sound of crickets...)

But then, my hacker instincts kicked in and I started thinking outside the box. What type of ID were they requiring? Was it a UUID or a normal 10-16 digit number? After spending a couple of hours investigating, I managed to find a consignment ID saved in my account parcel history from a recent courier parcel.

To my surprise, the consignment ID was a 14-digit number with no alphabetical characters. This made me think about IDOR. For beginners, IDOR stands for Insecure Direct Object Reference. It occurs when authentication and authorization checks fail, allowing an unauthorized user to access other users' data simply by knowing their ID.

I won't go into detail about IDOR here, but you can find more information in the references.

Back to the story. Since the ID was easily guessable, I changed the last digit of my consignment ID. Boom! I accessed another user’s parcel history. However, there was an issue the user's phone number wasn't fully disclosed; it appeared as 016*******89. This raised a new question: how did the hacker get the full phone number?

The solution was straightforward. While searching with my consignment ID, I intercepted the request using Burp Suite and sent it to the Repeater tab. Finally, when I made a request with a different user's consignment ID, the full phone number was disclosed in the response.

This meant the phone number was being filtered only on the front end, not from the back end. This is how an attacker or hacker can access users' personal information, leading to a data breach.

Conclusion

The incident involving the "Redact" company's online app serves as an important example of how easily personal data can be accessed if sufficient security measures are not applied. Understanding how attackers utilize tactics like abusing Insecure Direct Object References (IDOR) allows us to better prepare and defend our digital assets.

As a security researcher, discovering the vulnerability on the "Order Tracking" page and understanding the potential impacts was eye-opening. This journey highlights the importance of ongoing awareness and proactive steps in the field of cybersecurity. Ensuring strong authentication and authorization procedures, doing extensive testing, and following best practices can considerably reduce the risk of data breaches. 

Mitigation

1. Implement Proper Access Controls: Ensure that all direct object references are protected by implementing strong authentication and authorization checks. Only authorized users should have access to sensitive data.

2. Use Indirect References: Instead of exposing actual object IDs in URLs or forms, use indirect references such as tokens or hashed values that are mapped to actual IDs on the server side.

3. Input Validation: Validate all user inputs on both the client and server sides to prevent unauthorized access through malicious inputs.

4. Regular Security Testing: Conduct regular security assessments, including penetration testing and code reviews, to identify and remediate vulnerabilities.

References

As We’ve promised for more information on Insecure Direct Object References (IDOR). We’re attaching the resources & references to identify & prevent IDOR:

• What is IDOR:  Definition and Example
• How to Prevent IDOR Cheat sheet: Insecure Direct Object Reference Prevention
• IDOR Testing Guide by OWASP: Testing for Insecure Direct Object References
• IDOR in the Wild: My First 10k BDT bounty from an e-Commerce site

By following these mitigation strategies and consulting the referenced resources, organizations can better safeguard their systems against IDOR and other vulnerabilities, ensuring the protection of sensitive user data.