AI coding threatens to make common security flaw more prevalent

The use of artificial intelligence for development is threatening to make a specific type of web application flaw, insecure direct object references (IDORs), far more common, security researchers say.

IDORs are a type of vulnerability which is essentially broken access controls in web applications.

Exploiting IDORs is easy, requiring no special skills, privileged access or particular tools.

A recent case of IDOR involved McDonald’s AI McHire application which not only had been misconfigured with a default password to an administrative subsite, but also did not have correct access controls set to an internal application programming interface (API).

Through the IDOR, security researchers Ian Carroll and Sam Curry were able to access sensitive personal information including chat interactions of job applicants.

Carroll and Curry were able to do so by simply decrementing a number for a parameter, potentially giving them access to over 64 million job applicants’ details.

IDORs are extremely common, with the technical director of Trans-Tasman Bastion Security, Sam Shute saying they are ranked as the most common A01 flaw in the Open Web Application Security (OWASP) Top Ten list.

Closer to home, Shute said the high-profile Optus data breach uncovered in 2022 was an IDOR; the flaw was introduced in 2018, involving an insecure API endpoint that had either insufficent or no authentication, allowing the attacker access to Optus customers’ data.

Atlassian’s Confluence Server incident is another recent IDOR case, in which attackers were able to exploit broken access controls to change configurations and to create new administrator accounts on vulnerabile systems.

IDOR issues are often on the high side of the severity scale, as the impact is generally disclosure of large amounts of sensitive information which was the case in the McDonald’s McHire and Optus vulnerabilities.

Shute explained that when access controls are forgotten, they can be easily exploitable unauthenticated, or by all logged-in users.

“IDORs are definitely a common issue that we see during penetration testing,” Shute said.

They could become even more common, as AI-assisted development becomes the norm.

Developers under productivity pressure and AI add to threat

Traditionally, coders being rushed into releasing applications, and placing too much trust in the tools used are the main reasons for broken access control vulnerabilities appearing.

“Developers are often under time pressures or put too much reliance on the software frameworks supporting the applications that they build,” Shute said.

“This can cause them to not properly understand the implications of the access control model that they have built,” he added.

Since the flaw is one of omission, as in missing to check for proper access controls, rather than a straight-up error, it can be harder to spot in code reviews.

AI has the potential to make IDORs and broken access control problems worse, Shute said.

“The use of AI in software development is highly likely to make IDOR issues more prevalent,” Shute said.

“As AI doesn’t truly understand the business context within which a system operates, it doesn’t know whether a certain piece of information should be known by just the submitting user, internal only users, or all users.”

Sometimes referred to as “vibe coding”, AI-assisted development is touted as being able to speed up application creation considerably, while removing the need for extensive knowledge and experience.

However, the technology can become a force multiplier for human errors and system pressures, risking creating more vulnerabilites if developers uncritically accept AI suggestions.

Recognising this, security vendor Backslash, has developed a free maintained knowledge base, the Vibe Coding Security Threat Model, which covers different components of AI development, and the risks it might bring.