In 2019, a security expert discovered severe vulnerabilities in Uber’s API that let hackers control any user account. This Broken Object Level Authorization (BOLA) issue put millions of users at risk of account takeover, location spying, and illegal ride orders.
This incident shows the severe dangers of BOLA issues in today’s API-driven application economy and reinforces the importance of solid API security practices.
In this blog, we will examine broken Object-Level Authorization, explain its functioning, and discuss methods to avoid it.
What is BOLA?
Broken Object-Level Authorization (BOLA) is a critical API security vulnerability that occurs whenever an application fails to properly verify a user’s permissions to access specific data objects.
The purpose of object-level authorization is to implement a control mechanism at the code level that validates before allowing users to access data and information.
According to the OWASP API Security Top 10, it is considered a serious threat to API security. The violation occurs by manipulating the ID at the object level, which leads to unauthorized access to an API endpoint/function by the threat actor.
BOLA differs from other API vulnerabilities in explicitly targeting the authorization process at the object level.
While other vulnerabilities might look at bypassing authentication or injection issues, BOLA takes advantage of not having validation checks at the API endpoints when users try to access or change data objects they aren’t allowed to.
How BOLA Works
Inadequate authorization checks are often the root cause of BOLA vulnerabilities. Modern API-based applications frequently manage user state on the client side, relying heavily on object IDs provided by the client to determine access.
BOLA attacks are particularly dangerous because they’re relatively easy to execute but can have severe consequences. They can potentially lead to large-scale data breaches or unauthorized control of critical systems.
BOLA attacks exploit API endpoints that handle object identifiers without proper authorization checks. Attackers manipulate the ID of an object sent within an API request to gain unauthorized access to data or functionality. Here’s how it typically operates:
1. Identification
Attackers first identify API endpoints that receive object IDs as parameters. These endpoints often rely on client-supplied information to determine which objects to access.
2. Manipulation
Then, they manipulate the object ID in the API request. This could be as simple as changing a numeric ID, UUID, or string that represents a specific resource.
3. Unauthorized Access
If the API fails to properly validate the user’s permissions for the requested object, it may return data or allow actions on objects the user shouldn’t have access to.
4. Automation
Once a vulnerability is identified, attackers can automate the process, potentially accessing thousands of records by systematically changing object IDs.
5. Exploitation
Depending on the API’s functionality, attackers might view unauthorized data, modify information, or even perform actions like transferring money or controlling devices.
Real-World BOLA Attack Examples
Here are some popular attacks that led to BOLA attacks:
1. Uber Account Takeover
A security expert found a BOLA vulnerability in Uber’s API, enabling attackers to take over user accounts, track locations, book rides without permission, and compromise Uber Driver and Uber Eats accounts.
Why it happened:
The vulnerability was due to Uber’s API endpoints not adequately checking if a user was authorized to access or change the account data they were requesting. Attackers bypassed security requirements by altering user IDs in API requests, allowing them to gain access to any user’s account and revealing a major issue in Uber’s object-level authorization process.
2. Parler Data Breach
Hackers took advantage of BOLA vulnerabilities in Parler’s API to gather 70TB of data, which included millions of posts, pictures, and videos, before the platform was shut down by its hosting providers.
Why it happened:
The breach happened because the API did not have essential security protections, especially proper object-level authorization. The API endpoints let users access data without verifying whether they had the right to see it. Attackers easily collected user content by altering post IDs in API requests, due to a significant BOLA vulnerability in Parler’s setup.
3. Feeld Dating App Privacy Breach
BOLA vulnerabilities in the Feeld dating app’s API allowed threat actors unauthorized access to users’ private photos and chat groups, in addition to the ability to modify other users’ chat messages.
Why it happened:
The Feeld app’s API lacked proper checks for authorization when accessing resources like photos and chat messages. It depended entirely on unique IDs provided by the client to retrieve data, without confirming if the logged-in user had access to those resources. This mistake allowed attackers to manipulate resource IDs and gain unauthorized access.
Consequences of BOLA Attacks
BOLA vulnerabilities can have serious consequences if not identified and remediated. Here are some of the implications:
Data Theft and Privacy Breaches
BOLA weaknesses can allow unwanted access to important user information, risking exposure of personal data, financial information, or private business details.
Business Functions and API Safety
BOLA attacks can interrupt business functions, harm reputation, and decrease user confidence. They might also cause service interruptions or alter essential data.
Legal and Compliance Challenges
Data breaches caused by BOLA weaknesses can lead to significant legal and regulatory issues, particularly in sectors governed by strict data protection regulations like GDPR or HIPAA.
How to Prevent BOLA Vulnerabilities
Here are some of the ways to prevent BOLA attacks:
| Prevention Strategy | Description |
| Implement Robust Checks | Develop centralized authorization mechanisms, implement checks at function and object levels, use RBAC or ABAC, ensure consistent checks across all API endpoints. |
| Use Unpredictable Object Identifiers | Replace sequential IDs with GUIDs or UUIDs, avoid exposing internal database IDs, consider encrypted or signed tokens for object references. |
| Implement the Principle of Least Privilege | Grant minimum necessary access, regularly review permissions, implement time-bound access for sensitive operations. |
| Utilize API Gateways | Use a central point for security policies, authentication, rate limiting, and logging. Validate tokens and permissions before forwarding requests. |
| Implement Proper Authentication | Use strong protocols (OAuth 2.0, OpenID Connect), implement multi-factor authentication, ensure secure token management and validation. |
| Conduct Thorough API Security Testing | Perform regular automated scans, conduct manual penetration testing, implement security testing in CI/CD pipeline. |
| Implement Proper Logging and Monitoring | Log all access attempts, implement real-time monitoring and alerting, regularly review logs for potential BOLA attempts. |
| Use Parameterized Queries | Avoid direct string concatenation, use parameterized queries or prepared statements to prevent SQL injection. |
| Implement API Versioning | Maintain proper versioning, deprecate and remove older vulnerable versions. |
| Educate Development Teams | Provide regular training, implement secure coding guidelines, conduct code reviews focusing on authorization checks. |
| Implement Rate Limiting | Apply rate limiting to prevent brute force attempts, implement stricter limits for write operations. |
| Use Security Headers | Implement security headers (CSP, X-Frame-Options, X-XSS-Protection), configure CORS policies correctly. |
Why OWASP and BOLA: A Comprehensive Framework Matters
The Open Web Application Security Project (OWASP) provides important guidelines for keeping APIs secure, which includes suggestions to deal with BOLA vulnerabilities.By following OWASP’s framework, organizations can take a thorough approach to API security, covering BOLA and other serious vulnerabilities.
BOLA is highlighted as the top threat in OWASP’s API Security Top 10 list, shows the seriousness of the threat and its impact. This acknowledgment aids security teams in prioritizing work and using resources wisely to lessen BOLA risks.
By understanding and addressing BOLA vulnerabilities within the context of OWASP’s guidelines, organizations can significantly enhance their overall API security posture and protect against a wide range of potential attacks.
Recommendations to Avoid BOLA Vulnerabilities
Here are some of the recommendations to avoid BOLA vulnerabilities:
Enforce Minimum Privileges
In designing systems, give users the least privileges they need for their tasks. Identify user types, resources, and what they need to do. Look at horizontal access (across departments) and vertical access (within the hierarchy). Conduct regular checks to avoid “privilege creep,” when users get extra permissions they do not need over time.
Use Deny by Default
This is very important. Set up applications to deny access by default instead of allowing it. All-access must be clearly explained and approved. Do not count only on framework settings—ensure explicit configuration is in place. This method reduces the chance of mistakenly exposing resources due to errors or oversights.
Validate Permissions on Every Request
Mandatorily implement consistent permission checks on all requests, regardless of source (AJAX, server-side, etc.). You can use application-wide configuration through technologies like Java Filters, Django Middleware, or .NET Core Filters. Remember that missing even one check can compromise resource security.
Review Third-Party Authorization Logic
Third-party resources can have vulnerabilities. Therefore, thoroughly analyze the security capabilities of frameworks and libraries used for authorization. Don’t assume default configurations are sufficient. Create processes for detecting vulnerable components. Implement defense in depth rather than relying on a single framework for access control.
How SecureLayer7 Can Help
SecureLayer7 is a leading offensive security company which leverages various advanced tools and methodologies to prevent API vulnerabilities in applications.
Comprehensive Testing Method
SL7 uses both automated tools and human testers who are trained in security. This blend allows for detailed findings of BOLA weaknesses by using quick scans and the skilled insight of experts to spot complex issues with authorization.
Powerful API Scanner
SecureLayer7 uses a proprietary BugDazz API Scanner to identify and detect common OWASP vulnerabilities. Powered with robust features, such as real-time scanning, authentication, and access control mechanism, on-prem solutions. You can integrate it easily with your CI/CD pipeline.
CREST-certified Pentesters
SecureLayer7 has a team of highly qualified and experienced CREST-certified pentesters to ensure the quality of penetration testing.
Real-time Vulnerability Finding
The SecureLayer7’s BugDazz PTaaS platform gives instant insight into weaknesses, including BOLA problems. This quick finding helps companies to spot and fix authorization issues right away, cutting down on the chances of being attacked.
SDLC Integration
By connecting with tools like JIRA and ServiceNow, SL7 supports ongoing security testing in the development process. This connection helps find BOLA weaknesses early, making them easier and cheaper to remedy.
Realistic Attack Simulations
Our pentesters can mimic real attack situations that could potentially reveal BOLA vulnerabilities. This method gives a more accurate view of an application’s security and finds minor authorization issues that attackers could exploit.
Rapid Identification
Our experts can quickly identify and fix simple scheduling for checking corrections. This efficient process makes sure that once BOLA weaknesses are found, they can be promptly resolved and re-checked, reducing the time an application is at risk of attacks.
Continuous Monitoring
With a year-long portal access and continued teamwork, SL7 allows for ongoing watching and improvement of API security. This long-term strategy helps organizations keep strong defenses against BOLA attacks, adapting to new dangers and security practices.
Conclusion
In the end, identifying BOLA vulnerabilities is just the beginning. Building truly secure APIs requires comprehensive developer support, which includes providing both security knowledge and practical tools. Teams can implement strong authorization from API inception.
Worried about BOLA attacks? Take control of your API security with SecureLayer 7’s comprehensive platform, which discovers all APIs, classifies sensitive data, and enables security teams to implement positive security controls across public, private, and shadow APIs.Book an appointment today. Our security experts are ready to help.
