U.S. and Australian government cybersecurity agencies are warning that common and easily exploitable security vulnerabilities in websites and web apps can be abused to carry out large-scale data breaches.

In a joint advisory published Thursday, U.S. cybersecurity agency CISA, the National Security Agency and the Australian Cyber Security Centre said that the vulnerabilities, known as insecure direct object references (IDORs), allow malicious hackers to access or modify sensitive data on an organization’s servers because of a lack of proper security checks.

An IDOR vulnerability is like having a key to your mailbox, but that key also allows you to unlock every other mailbox on your street. IDORs can be particularly problematic because, like a row of mailboxes, a bad actor can exploit them sequentially one after the other and access data that they should not be allowed to.

Because these vulnerabilities can often be exploited by enumeration, IDORs can be abused “at scale” using automated tools, the advisory warns.

“While there have been prior open source reports on insecure direct object reference (IDOR) vulnerabilities in web applications, CISA and our partners at the Australian Cyber Security Centre and National Security Agency realized this is a major flaw with too little recognition or understanding within the cyber community. Today’s joint advisory is the first significant advisory on this subject to help organizations protect sensitive data in their systems and push vendors to reduce prevalence of IDOR vulnerabilities and flaws,” James Stanley, CISA Product Development Section Chief, told TechCrunch.

The joint advisory notes that IDORs have resulted in major data breaches in the United States and overseas.

In recent years, IDORs have resulted in the exposure of thousands of medical documents by a U.S. laboratory giant, a state government website that spilled thousands of taxpayers’ personal information, a college contact-tracing app that leaked COVID-19 vaccination status and a state-backed health app that allowed access to other people’s vaccination data. IDORs also resulted in the mass data spill of hundreds of millions of U.S. mortgage documents, the exposure of the real-time location data of more than a million vehicles from a flawed GPS tracker and the leak of hundreds of thousands of people’s private phone data stolen by a global stalkerware network.

The joint advisory says developers should ensure their web apps perform authentication and authorization checks to reduce IDORs, and that software is secure-by-design, a principle promoted by CISA that urges software makers to bake-in security from the beginning and throughout the software development process.

“Secure-by-design is a fundamental theme in this advisory. Vendors and developers are encouraged to take appropriate steps to provide products that protect their customers’ sensitive data by design and default,” said CISA’s Stanley.

Australia’s cyber agency said it continues to observe malicious actors exploiting misconfigured networks.

“Even a single breach using IDOR vulnerabilities can have a national impact. A malicious actor being able to exfiltrate data could impact critical infrastructure, businesses, government and individuals,” said Patrick Holmes with the Australian Cyber Security Centre.