[Samsung Fire & Marine] Action is needed to prevent logins from sessions logged in from other IPs

If a session logged in from an IP address called A is tampered with by a user logged in from an IP address called B through the developer tool in IE Edge, the user information will be changed.
This needs to be improved as it risks allowing regular users to escalate their privileges to administrator status and manipulate important administrator settings.
Financial institutions in Korea are urged to take swift action against these vulnerabilities, as they will not be able to use the applications unless measures are taken.
Comments
-
Turribeach Dataiku DSS Core Designer, Neuron, Dataiku DSS Adv Designer, Registered, Neuron 2023 Posts: 2,252 Neuron
Have you seen this advanced security option?
https://doc.dataiku.com/dss/latest/security/advanced-options.html#forcing-a-single-session-per-user
In most cases companies will not allow access to Dataiku externally so the while the requirements for Financial institutions in Korea make sense for internet banking they don't make sense for an intranet system that's only used internally within the company but not publicly accessible via the internet. Furthermore you could easily restrict access to your Dataiku instance to specific IPs (see below) which could be private network IPs. So while you can't prevent session hijack this will prevent most scenario attacks. Personally I think that you are looking at the wrong problem here. If you have an attacker which can already hijack your user's browser then you got bigger problems than worrying about Dataiku access.
https://serverfault.com/questions/1148454/nginx-only-allow-certain-ips-to-access-a-url-prefix