🔐 Security Writeup

BOLA in Bookmarks API

Insecure Direct Object Reference

Target: DPG Media / De Morgen

Code: DPGM-LQ1L4IAL

Severity: Low (Platform rating)

Status: Archived / Duplicate

🧠 Summary

A Broken Object Level Authorization (BOLA) vulnerability was identified in the Bookmarks API. The API fails to properly verify ownership of user data, allowing cross-account access.

⚠️ Issue Description

The endpoint allows operations on bookmarks using a user identifier (UUID) without verifying whether the authenticated user owns the requested resource.

🧪 Example Request


POST /api/_next-api/bookmarks/ HTTP/1.1

Host: shop.demorgen.be

Content-Type: application/json



{

  "userId": "VICTIM-UUID",

  "action": "list"

}

💥 Impact

Cross-account bookmark access
Data privacy violation
Unauthorized data manipulation

🛡️ Recommendation

Enforce strict object-level authorization checks
Bind session user to resource ownership
Reject user-controlled identifiers for sensitive actions

📌 Conclusion

This issue highlights a classic BOLA vulnerability where missing authorization checks allow cross-user access to sensitive data.

⚡ Writeup created for educational and security research purposes.