Broken Object Level Authorization
摘要
In May 2021, fitness giant Peloton experienced what many API developers fear most—a severe Broken Object Level Authorization (BOLA) vulnerability that exposed the private data of its 3+ million users. What seemed like a minor oversight in authorization checks allowed anyone to bypass authentication and access user profiles, workout statistics, and personal information by simply manipulating user IDs in API requests.