Bug hunter wins 'Researcher of the Month' award for DOD account takeover bug
The US Department of Defense has fixed a severe vulnerability impacting its internal network that would have allowed threat actors to hijack DOD accounts just by modifying a few parameters in web requests sent to DOD servers.
The vulnerability was discovered by Jeff Steinburg, a security researcher at US security firm Silent Breach, and privately reported and patched via the DOD's Vulnerability Disclosure Program (VDP).
The issue received a severity rating of "Critical (9 ~ 10)" because the bug required minimal technical skills to exploit and hijack any DOD account of the attacker's choosing.
The severity of the reported issue earned Steinburg the DOD's "Researcher of the Month" award, despite the bug being the researcher's first DOD VDP report.
With their first reports to @DeptofDefense @DC3VDP as High and Critical we are happy to announce Jeff Steinburg @SilentBreach for this month's #ResearcherOfTheMonth. The IDORs reported allowed for unauthorized information disclosure and unauthenticated account takeovers. TYVM! pic.twitter.com/7LLWYxchx3
— DC3 VDP (@DC3VDP) November 6, 2020
While some details about the bug have been disclosed earlier today, a full report won't be fully available; to protect the security of the DOD network.
According to this summary report, the bug was categorized as an Insecure Direct Object References (IDOR) vulnerability, a bug where security checks are missing from an application, allowing hackers to modify a few parameters without any additional identity checks.
In the DOD's case, the bug would have allowed an attacker to take a legitimate web request sent to a DOD website, modify the user ID and username parameters, and the DOD site would have allowed the attacker to change any user's DOD account password — which would have allowed hackers to hijack accounts and later breach the DOD's network.
Today, IDOR bugs are considered easy to find due to the plethora of automated tools that make their discovery a less time-consuming process.
Most IDOR bugs today allow attackers to modify harmless parameters and tweak account settings of little importance, but some IDOR bugs can also have severe consequences when the IDOR bugs reside in sensitive account fields such as passwords and account recovery/payout emails, or for price values in shopping carts, John Jackson, an Application Security Engineer at Shutterstock, told ZDNet in an interview today.
"Insecure Direct Object Reference vulnerabilities are those silent, underrated bugs, yet they are not uncommon," Jackson said.
The DOD fixed the bug by adding a user session mechanism to the DOD account system, preventing attackers from modifying parameters without authenticating on the site first, or by obtaining an attacked DOD user's session cookie first.