BOLA explained: The silent data killer
Imagine walking into a bank, showing the teller your ID to prove you are an account holder, and then asking to see the balance for account number 88421 (which belongs to someone else). If the teller checks your ID, verifies you are a customer of the bank, and immediately hands you the other person's bank statement without checking if you actually own account 88421, that teller has committed a BOLA violation.
In API terms, an endpoint like GET /api/v1/invoices/88421 returns a payment record when called by User A. The vulnerability exists when User B receives that same record simply by changing the ID in the request. The API successfully authenticated User B (they had a valid JWT token), but it never authorized the specific resource access (it never checked if the invoice belonged to User B). Because it requires no sophisticated exploitation, BOLA vulnerabilities frequently score as high as 9.9 (Critical) on the CVSS scale.
Why predictable IDs turn a flaw into a catastrophe
A BOLA vulnerability on its own allows targeted data theft. But when combined with sequential integer IDs (e.g., user 100, user 101, user 102), it transforms into a weapon of mass exfiltration. Attackers automate enumeration using simple Python scripts or tools like Burp Suite Intruder that cycle through ID ranges in milliseconds, downloading your entire database record by record.
Replacing sequential integers with GUIDs (128-bit random identifiers like 550e8400-e29b-41d4-a716-446655440000) cuts mass-guessing success rates to statistically negligible levels. However, GUIDs are not a fix for BOLA. If an attacker discovers another user's GUID through a different API leak, a shared link, or a referral code, the underlying BOLA vulnerability remains fully exploitable. GUIDs merely remove the arithmetic that makes automated scraping easy.
Nigerian fintech scenarios: Where BOLA strikes
In the Nigerian payment ecosystem, the architecture often involves complex hierarchies of users, agents, and merchants. This complexity breeds BOLA vulnerabilities. Common scenarios we discover during API security assessments include:
- Agent Network Exploitation: A mobile money agent logged into their portal can view the KYC documents (BVN details, NIN slips) of customers registered by other agents simply by incrementing the `customer_id` parameter in the API request.
- Wallet Fund Transfers: An authenticated user calls
POST /api/transfersbut modifies thesource_wallet_idin the JSON payload to point to another user's wallet. If the backend only verifies the JWT token and not the ownership of thesource_wallet_id, the attacker drains the victim's funds. - Merchant Dashboard Leaks: A sub-merchant accesses the main aggregator's transaction history by changing the `merchant_id` in the reporting endpoint, exposing millions of Naira in transaction volume data and PII to a competitor.
Real-world breach scenarios
BOLA is not theoretical. It has compromised some of the most sophisticated technology companies globally.
T-Mobile: 37 million accounts exposed
In early 2023, attackers harvested subscriber data from approximately 37 million accounts entirely through API abuse. The breach combined a poorly secured endpoint and sequential user IDs. The attacker simply asked the API for data on user 1, then user 2, then user 3, until they had 37 million records. The direct parallel to how poorly designed payment platforms structure their user data is exact and terrifying.
Stripe's deprecated endpoint vulnerability
Even industry leaders make mistakes. In a recently documented case, attackers were able to validate stolen credit cards through a legacy /v1/sources endpoint that lacked modern rate limiting and authorization controls. Deprecated endpoints that are left active ("zombie APIs") without decommissioning policies represent a massive, unmonitored BOLA risk.
Coinbase: Unauthorized trading logic
In a widely publicized bug bounty report, a security researcher discovered that an authenticated user could trigger trades on another user's account by manipulating object identifiers in the API request. The platform confirmed the user was logged in (Authentication), but skipped the ownership check entirely before executing the financial logic (Authorization).
Are your core transaction endpoints vulnerable to object manipulation?
Book an API Security AuditThe compounding threat picture
BOLA rarely acts alone. Several other OWASP API Top 10 categories interact synergistically with BOLA to multiply the damage. Broken Authentication (API2) accelerates exploitation by giving attackers easier access to initial valid tokens. Broken Object Property Level Authorization (BOPLA - API3) allows modification of sensitive fields (like changing `is_admin=true`) that a user shouldn't control. Unrestricted business flows (API6) let automated bots exploit payment logic at scale. Fix the core object-level check, and the blast radius of these adjacent vulnerabilities shrinks significantly. For a full breakdown of these interactions, read our comprehensive OWASP for fintech guide.
What a BOLA breach costs your business
The regulatory and financial impact of a BOLA breach is devastating. PCI DSS 4.0 Requirement 6.5.6 explicitly mandates securing APIs against broken object level authorization. Furthermore, under the NDPA 2023, exposing PII through a BOLA flaw constitutes a reportable breach. The average financial services data breach reached $6.08 million globally according to IBM's 2024 report. In Nigeria, the loss of trust from a BOLA-exploited payment API often results in immediate merchant churn and intense scrutiny from the CBN.
The BOLA mitigation checklist
Preventing BOLA requires structural changes to how your API handles state and context. Implement the following controls immediately.
Authorisation controls
- Mandatory Ownership Checks: Every single data-access endpoint must perform an object-level ownership verification. The backend must query the database:
SELECT * FROM invoices WHERE id = ? AND user_id = ?(where user_id is extracted securely from the JWT token, not the client request). - Use Non-Sequential Identifiers: All object identifiers exposed to the client must be non-sequential (UUIDv4 or similar GUIDs) to prevent automated enumeration.
- Step-Up Authentication: Highly sensitive operations (like changing payout accounts or modifying BVN details) must require re-authentication or an OTP, even if the user has an active session.
- Strict Token Scopes: Token scopes must be minimized to least-privilege per API consumer. A token issued for a mobile app should not have the authority to access admin dashboard endpoints.
- Centralized Policy Enforcement: Authorization policies should be defined centrally in middleware, not scattered randomly across hundreds of individual controllers. This ensures the check is never accidentally forgotten.
Monitoring and architectural controls
- Contextual Logging: All API requests to payment resources must be logged with the authenticated user identity, the requested object ID, and a timestamp. Without this, you cannot investigate a BOLA breach post-incident.
- Granular Rate Limiting: Implement advanced rate limiting per endpoint, with immediate alerting on threshold breaches. A user requesting 500 different invoice IDs in a minute is attacking you.
- API Inventory Management: Deprecated endpoints must be aggressively inventoried and either decommissioned completely or isolated. Zombie APIs are prime BOLA targets.
- Third-Party Scrutiny: Third-party API integrations and webhooks are subject to the same strict object-level authorization requirements as your core platform.
Authorisation as architecture, not a backlog item
Teams that treat authorization as a core architectural decision - enforced centrally in middleware, tested consistently in CI/CD, and audited thoroughly on every major deployment - close most of their exposure. Conversely, teams that treat authorization as a mere code review comment or an afterthought inherit the exact same catastrophic risk that compromised T-Mobile, Stripe, and Coinbase.
Frequently asked questions
What exactly is Broken Object Level Authorization (BOLA)?
BOLA (formerly known as IDOR - Insecure Direct Object Reference) occurs when an API endpoint correctly authenticates a user to use the API, but fails to check if that specific user has authorization to access the specific requested data object (like a transaction record or wallet balance).
How do attackers exploit BOLA in fintech applications?
Attackers log in with their own legitimate account. They intercept the API requests their app makes to the server. If they see an endpoint like /api/v1/wallets/1042/balance, they simply change '1042' to '1043'. If the server returns user 1043's balance, the attacker has successfully exploited a BOLA vulnerability.
Why are sequential IDs so dangerous when combined with BOLA?
Sequential IDs (1, 2, 3...) allow an attacker to write a simple script that iterates through every possible ID number. A single BOLA vulnerability combined with sequential IDs turns an isolated data exposure into a massive, automated data exfiltration event, allowing attackers to dump your entire database in minutes.
Does using GUIDs/UUIDs fix BOLA vulnerabilities?
No. Replacing sequential integers with 128-bit random identifiers (GUIDs) prevents attackers from easily guessing IDs, stopping mass automated enumeration. However, if an attacker discovers another user's GUID (e.g., through a referral link or a different API leak), they can still exploit the BOLA vulnerability. GUIDs are a defense-in-depth measure, not a replacement for proper authorization checks.
Related reading
Blog: Fintech API security: 10 steps · Secure your fintech API in Nigeria · 10-point security checklist · Rate Limiting and Anti-Fraud Patterns
Guides: OWASP for fintech · PCI DSS compliance · Security checklist
Services: API security testing · Penetration testing · For payment gateways