Site icon API Security Blog

Attackers can exploit API endpoints vulnerable to broken object level authorization by using the same data attributes that are used in web applications.

The following example shows how an attacker could use a stolen user’s ID and password to access their bank account: 

A malicious user steals a valid user’s credentials from a compromised website, then uses those credentials on the bank’s mobile app or online banking site. The attacker is able to log into the victim’s account because they have stolen their username and password. Now, let’s say that this victim has linked their bank accounts with another service provider (e.g., Amazon)
https://t.co/x43GFYMak4

Exit mobile version