NOKIA - Insecure Direct Object Reference

NOKIA - Insecure Direct Object Reference

Hi all,

Recently I have found an Insecure Direct Object Issue on Nokia. I have already reported this issue and also got fixed.

Thanks to Nokia developer Team. They have listed my name on the Nokia Hall Of Fame List on the below-mentioned URL: nokia.com/global/security/acknowledgements

Nokia-logo.jpeg

Before we start discussing the issue we will first look into what Insecure Direct Object Reference is?

#What is Insecure Direct Object Reference? The Insecure Direct Object References represent the flaws in system design where access to sensitive data/assets is not fully protected and data objects are exposed by the application with the assumption that the user will always follow the application rules.

Insecure Direct Object Reference is an attack where an attacker who is an authenticated system user, simply changes a parameter value that directly refers to a system object or another object the user isn’t authorized for.

  • Authentication: Authentication verifies who you are.
  • Authorization: Authorization verifies what you are authorized to do.

OWASP Definition For Insecure Direct Object Reference

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. An attacker can manipulate direct object references to access other objects without authorization unless an access control check is in place.

How to identify Insecure Direct Object Reference? Identifying this vulnerability is slightly more difficult using Automation tools than other vulnerabilities because to exploit this vulnerability you not only need to identify the flawed interface but also need to predict the pattern to identify a secure object like Filename, User Id, or Customer Id, etc.

So let's Begin with how i have found Insecure Direct Object Reference on Nokia:

Nokia has a functionality called “Request Details” where the user Request Invoice detail and these details have been saved in the “Requests waiting for response” Section of his profile. This request can be viewed by a User. Below is the URL for the same:

https://ap.nokia.com/APPortalExt/mycompany/requests.aspx?id=28176 Below is the Screenshot For Viewing Data that the User is Allowed to Authorized:

step 4.jpg

step 5.jpg After analyzing above mentioned URL I have noticed that a parameter id is a number.

I have easily changed this to a valid request number and I was able to see other Invoice details which were requested by another User.

Below is the Screenshot for Viewing Other User Data which I was not Authorized To

other user details.jpg

Nokia Response

Screen Shot 2022-03-01 at 1.10.57 AM.jpg

Nokia Hall Of Fame List

2-1.jpeg

Prevent Insecure Direct Object References : In simple terms, the protection we need is to

  • Minimize user ability to predict object IDs/Names
  • Don’t expose the actual ID/name of objects
  • Verify user authorization each time-sensitive objects/files/contents are accessed

Recent Reply From Nokia (4 Sept 2013)

Screen Shot 2022-03-01 at 1.13.35 AM.jpg

Generous Reward Lumia 920 from Nokia (Fastest Delivery from Nokia Received Within 3day 🙂

DSC_0107-300x169.jpeg DSC_0117-300x169.jpeg