Following the release of successful patches, Silent Breach can now disclose that we've identified two 0-day vulnerabilities (of high/critical severity) that allowed for Insecure Direct Object Reference on DoD websites.
                         
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. IDOR is a serious flaw that, in this case, allowed our ethical hackers to execute an unauthenticated account takeover. Upon discovering the issue, Silent Breach Labs immediately reached out to the Department of Defense, and worked together to ensure that the issue was successfully mitigated and that users remained protected in the meantime.

The IDOR vulnerabilities were reported to the Department of Defense on October 10, 2020 and were successfully closed on or before October 27, 2020. Links to the two 0-day reports can be found here and here. The DoD has granted permission to disclose each vulnerability on November 9th and November 23rd, respectively.

For more information or for guidance on how this issue may affect your organization, please contact Silent Breach at: hello@silentbreach.com or at silentbreach.com/Contact.php.

Silent Breach's research team uncovers new 0-days in popular systems on a regular basis and works closely with the affected parties to ensure that the vulnerabilities are properly and securely disclosed, monitored and patched.

As a standard practice, Silent Breach does not confirm, discuss or disclose any security issues or vulnerabilities until a fix has been released on all affected systems or until express permission has been provided by the relevant parties.

For related coverage:
ZDNet: https://www.zdnet.com/article/bug-hunter-wins-researcher-of-the-month-award-for-dod-account-takeover-bug/
Department of Defense: https://twitter.com/DC3VDP/status/1324720518067560448