Strix uncovers zero-auth IDOR in DoD contractor's multi-tenant SaaS
Original source
Securing a DoD contractor: Finding a multi-tenant authorization vulnerability
Hacker News →An AI-driven security testing tool from Strix surfaced a broken authorization flaw in a DoD-backed startup’s multi-tenant platform. The bug allowed cross-tenant access without proper authentication checks, meaning a user in one tenant could reach data belonging to another — a textbook IDOR-style failure compounded by missing server-side authorization at the service layer.
The finding underscores a recurring pattern in multi-tenant SaaS: tenant isolation is enforced at the UI or query-filter layer rather than as a hard authorization check on every resource access. For a contractor in the defense supply chain, the blast radius extends beyond the platform itself, since cross-tenant leakage in that context can implicate sensitive program data and compliance obligations (CMMC, ITAR-adjacent controls).
The broader signal is that automated agents are increasingly capable of chaining reconnaissance, account creation, and authorization probing to reach high-impact bugs that traditional SAST and dependency scanners miss. Authorization logic remains the soft underbelly of modern SaaS, and defense-sector vendors carry disproportionate risk when it fails.
Read the full article
Continue reading at Hacker News →This is an AI-generated summary. Read the original for the full story.