Posted on November 10, 2020 at 5:08 PM
A security researcher at US security firm Silent Breach, Jeff Steinburg, helped the US Department of Defense (DOD) discover a vulnerability, which prevented massive vulnerability breach.
The vulnerability, if found by threat actors, would have allowed hackers to hijack DOD accounts. The threat actors only need to modify some parameters to gain access to the DOD server. But the timely report of Seinburg prevented such threat.
The severe bug would have allowed hackers to hijack DOD accounts just by modifying a few parameters in web requests sent to DOD servers.
His timely report was received through the DOD vulnerability Disclosure program VDP), with the bug receiving a severity rating of “Critical (9 – 10). It requires very little technical skill to exploit and take over any DOD the attacker chooses. But for the timely report of Steinburg, the bug would have easily spread.
Full details of the bug not disclosed for security reasons
Although the bug report was the first time Steinburg has participated in the DOD VDP report, it still earned him the award of “Researcher of the Month” due to the severity and importance of the reported issue. It saved the DOD a lot of trouble and headaches, as the department would have been dealing with a lot of security issues if attackers discover the vulnerability.
“The IDORs reported allowed for unauthorized information disclosure and unauthenticated account takeover,” the DOD announced on its Twitter page.
Although the department disclosed some details about the vulnerability today, it said it will reserve full disclosures to protect the security of the DOD network.
Based on the summary report of the bug, it was seen as vulnerability tagged Insecure Direct Object References (IDOR). It’s a typical vulnerability where there are incomplete security checks in an application, which allows threat actors to modify some parameters with no added identity checks.
For this case the vulnerability would have enabled the attacker to send a genuine web request to the DOD website, modifying the username and ID parameters. This would enable the attacker to change ant user DOD user account passwords, allowing them to take control of accounts and infiltrate the DOD network later.
Today, it’s very easy to discover IDOR bugs because of the availability of a wide range of tools that make them less time-consuming to discover.
According to an application security engineer at Shutterstock, John Jackson, most of these vulnerabilities allow attackers to alter harmless parameters and modify the account settings.
“Insecure Direct Object Reference vulnerabilities are those silent, underrated bugs, yet they are not uncommon,” Jackson reiterated.
These account settings may not have a critical effect on the systems, but some IDOR breaches may have a severe impact when the bugs are found in highly sensitive account fields like in payout/account recovery emails and passwords.
Bug hunting business is becoming lucrative
To offer more protection against their systems, several companies and organizations have set up bug bounty programs for security researchers. The idea gives security researchers the freedom to search for vulnerabilities in their system, and report them before threat actors find the bugs.
The researchers are compensated for their efforts while the company organizing the bounty prevents security risks.
In August, two Indian bug hunters received $20,000 compensation from Apple’s program for discovering bugs in Apple’s system.
Most of the tech giants have their bug hunting programs setup to reward researchers who discover bugs that are termed too dangerous to be left undetected.
The various bug bounty programs such as Bugcrowd and HackerOne work as links between businesses and security researchers.
Launched last year, the Apple Security Bounty program can pay a researcher up to $1.5 million in bug bounty payments, which is the highest in the world.
Some of the bug hunters have already taken the exercise as a full-time job. HackerOne is an organization that employs security researchers and bug hunters. The association has discovered more than 123,000 security vulnerabilities and has helped its hackers earn more than $62 million. Several other independent bug hunters are doing quite well and helping companies protect their systems.