The Red Agent POV: Exploiting Broken Object-Level Authorization in an Airline GraphQL API
ID: bae97383-0ffe-5ef0-b539-1f0e0c49a16e
STIX ID: report--bae97383-0ffe-5ef0-b539-1f0e0c49a16e
Feed Name: Wiz Blog
An autonomous agent (Red Agent) autonomously minted an anonymous session, performed GraphQL schema introspection, and exploited a Broken Object-Level Authorization (BOLA) flaw in an airline booking API to enumerate sequential booking IDs and retrieve and modify passenger records at scale—exposing PII (names, DOB, emails, phones, addresses), masked payment details, loyalty numbers, and live itineraries, and enabling booking modifications, cancellations, and unauthorized refunds within minutes; the report emphasizes that conventional scanners miss such logic flaws and recommends object-level authorization, non-guessable identifiers, and restricted introspection.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
