Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Insecure direct object reference
open-in-new
<h2 id="examples">Examples</h2> <p>In November 2020, the firm Silent Breach identified an IDOR vulnerability with the <a href="/facts/United_States_Department_of_Defense/dWAvf7e3">United States Department of Defense</a> web site and privately reported it via the DOD's Vulnerability Disclosure Program. The bug was fixed by adding a user session mechanism to the account system, which would require authenticating on the site first.<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a> </p><p>It was reported that the <a href="/facts/Parler/lFb3Q3og">Parler</a> <a href="/facts/Social_networking/qFIh6VT1">social networking</a> service used sequential post IDs, and that this had enabled the scraping of terabytes of data from the service in January 2021. The researcher responsible for the project has said this was inaccurate.<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a><a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a> </p> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>"Insecure direct object references (IDOR) | Web Security Academy". portswigger.net. Retrieved 2021-01-12. <a href="https://portswigger.net/web-security/access-control/idor" target="_blank">https://portswigger.net/web-security/access-control/idor</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Karande, Chetan. "Securing Node Applications - 4. Insecure Direct Object References". www.oreilly.com. Retrieved 2021-01-12. <a href="https://www.oreilly.com/library/view/securing-node-applications/9781491982426/ch04.html" target="_blank">https://www.oreilly.com/library/view/securing-node-applications/9781491982426/ch04.html</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>Solomon, Howard (2021-01-12). "Common development error likely led to huge Parler data theft, says expert | IT World Canada News". www.itworldcanada.com. Retrieved 2021-01-12.[permanent dead link] <a href="https://www.itworldcanada.com/article/common-development-error-likely-led-to-huge-parler-data-theft-says-expert/440646,%20https://www.itworldcanada.com/article/common-development-error-likely-led-to-huge-parler-data-theft-says-expert/440646" target="_blank">https://www.itworldcanada.com/article/common-development-error-likely-led-to-huge-parler-data-theft-says-expert/440646,%20https://www.itworldcanada.com/article/common-development-error-likely-led-to-huge-parler-data-theft-says-expert/440646</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Contieri, Maximiliano (2025-05-17). "Refactoring 028 - Replace Consecutive IDs with Dark Keys". Clean Code Cookbook. Retrieved 2025-05-17. <a href="https://maxicontieri.substack.com/p/refactoring-028-replace-consecutive" target="_blank">https://maxicontieri.substack.com/p/refactoring-028-replace-consecutive</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>Cimpanu, Catalin. "Bug hunter wins 'Researcher of the Month' award for DOD account takeover bug". ZDNet. Retrieved 2021-01-12. <a href="https://www.zdnet.com/article/bug-hunter-wins-researcher-of-the-month-award-for-dod-account-takeover-bug/" target="_blank">https://www.zdnet.com/article/bug-hunter-wins-researcher-of-the-month-award-for-dod-account-takeover-bug/</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>Greenberg, Andy (January 12, 2021). "An Absurdly Basic Bug Let Anyone Grab All of Parler's Data". Wired. Archived from the original on January 12, 2021. Retrieved January 12, 2021. <a href="https://www.wired.com/story/parler-hack-data-public-posts-images-video/" target="_blank">https://www.wired.com/story/parler-hack-data-public-posts-images-video/</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>@donk_enby (January 30, 2021). "also a lot of the news coverage claimed the post IDs were sequential. they were not, but: https://github.com/d0nk/parler-tricks/blob/main/parler/conversion.py#L22 (this endpoint only existed in their iOS app and afaik wasn't actually used for anything)" (Tweet). Archived from the original on January 30, 2021. Retrieved February 12, 2021 – via Twitter. <a href="https://x.com/donk_enby/status/1355640041155031040" target="_blank">https://x.com/donk_enby/status/1355640041155031040</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> </ol>