When Favoriting Goes Rogue: Broken Access Control Flaw. 🕷️

So there I was, minding my own business, clicking buttons like every curious bug bounty hunter does purely for research purposes, of…

Umanhonlen Gabriel

~2 min read · April 8, 2026 (Updated: April 8, 2026) · Free: Yes

So there I was, minding my own business, clicking buttons like every curious bug bounty hunter does purely for research purposes, of course.

I stumbled onto a feature that lets you "favorite" boards. Simple enough. Click a star, feel productive, move on. But something felt… too smooth. And in bug hunting, "too smooth" is usually code for "something's about to go very wrong."

The API behind this feature looked straightforward:

POST /api/v2/favourite
GET /api/v2/favourite/board/{uuid}

Classic stuff. You send a request with a modelUuid, and boom your board is now a favorite. Nothing suspicious at first glance.

Until I asked myself the golden question:

"What if I just… change the UUID?"

You already know where this is going.

I took a valid request like this:

{ "modelUuid": "***", "modelType": "board" }

Sent it. Got a 201 Created. Life was good.

Then I swapped the UUID with one that didn't belong to me.

Sent it again.

Still 201 Created.

No complaints. No errors. No "hey, that's not yours." Just pure acceptance. The API basically said:

"If you like it, I love it."

At this point, I wasn't favoriting boards anymore, I was collecting strangers' boards like Pokémon.

And Then It Got Worse

Naturally, I tried the GET endpoint:

GET /api/v2/favourite/board/{uuid}

Using my session… but someone else's board UUID.

And guess what?

It returned the data.

No hesitation. No permission checks. Just:

"Here you go, enjoy someone else's stuff."

What's Actually Going On

This is a textbook case of broken access control.

The API trusts the user input (modelUuid) way more than it should. It doesn't verify whether:

The board actually belongs to the requesting user
The user is authorized to interact with that resource

So as long as you're authenticated, you can:

Add any board to favorites
Retrieve data for any board

Authentication? Yes. Authorization? Not invited to the party.

Why This Matters

This isn't just a quirky bug but a real impact:

You can manipulate another user's favorites
You can access data that isn't yours
You're basically walking through doors that should be locked

It's like having a hotel key card that opens every room… and the minibar

Final Thoughts

This one is a good reminder that:

Just because an API works… doesn't mean it's working correctly.

Always validate ownership. Always enforce authorization. And never trust user-controlled identifiers without checking them.

Feel Free to connect with me:

LinkedIn: https://www.linkedin.com/in/umanhonlen/

X: http://x.com/sudosu01/

Portfolio: https://linktr.ee/umanhonlengabriel

Thank you!