In May 2021, fitness giant Peloton experienced what many API developers fear most—a severe Broken Object Level Authorization (BOLA) vulnerability that exposed the private data of its 3+ million users. What seemed like a minor oversight in authorization checks allowed anyone to bypass authentication and access user profiles, workout statistics, and personal information by simply manipulating user IDs in API requests.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Broken Object Level Authorization

  • Roman Canlas

摘要

In May 2021, fitness giant Peloton experienced what many API developers fear most—a severe Broken Object Level Authorization (BOLA) vulnerability that exposed the private data of its 3+ million users. What seemed like a minor oversight in authorization checks allowed anyone to bypass authentication and access user profiles, workout statistics, and personal information by simply manipulating user IDs in API requests.