Also called: BOLA or Broken Access Control (object level)

What it means

BOLA happens when an application fails to properly check if a user is allowed to access or modify a specific object (data/resource).

In simple terms:

• User A should NOT access User B’s data
• But the system fails to enforce that rule

Core idea

Even if a user is logged in and authenticated, they may still be able to access or manipulate data they don’t own because the system does not properly check authorization at the object level.

Example (Coinbase case)

• A researcher used Coinbase APIs normally (valid account, valid trade)
• API request included:
  • asset type (Ethereum)
  • quantity
  • market info
• The system did NOT properly validate ownership of the asset being traded
• The researcher changed:
  • Ethereum (owned asset) → Bitcoin (not owned)
• The API still processed the request successfully
• Result:
  • Unauthorized trade was executed
  • Large financial mismatch occurred

Root cause:

Missing logic validation for asset ownership (object-level check not enforced)