LinkedIn API Access Control Bypass: What Bug Hunters Need to Know
📢 Affiliate Disclosure: This site contains affiliate links to Amazon. We earn a commission when you purchase through our links at no additional cost to you.
Two major access control vulnerabilities were just disclosed on LinkedIn via HackerOne. These bugs highlight why BOLA (Broken Object Level Authorization) remains the #1 API security vulnerability in 2026.
If you're bug bounty hunting on platforms with APIs (basically all modern web apps), understanding these patterns is worth thousands of dollars in bounties.
What Happened
Two security researchers found separate authorization bypasses in LinkedIn's API:
Vulnerability #1: Comment Permission Bypass
Impact: Previous commenters retained access to posts even after comments were disabled by the post author.
How it worked:
- User A posts content with comments enabled
- User B comments on the post
- User A disables comments on the post
- Bug: User B can still access and read the post content via the comments API endpoint
Root cause: Authorization check only verified "has this user commented?" but failed to verify "are comments still enabled?"
Vulnerability #2: Premium Feature Access Bypass
Impact: Non-premium users could access the "Active Hiring" filter feature (normally requires LinkedIn Premium subscription) by manipulating GraphQL API calls.
How it worked:
- Premium feature UI hidden for non-premium users (frontend only)
- GraphQL API endpoint for "Active Hiring" filter didn't verify premium status
- Bug: Craft GraphQL query directly → bypass frontend restriction → access premium data
Root cause: "Security through obscurity" - hiding UI elements doesn't equal proper authorization.
Why This Matters for Bug Hunters
BOLA is the #1 API vulnerability according to OWASP API Security Top 10. Here's why:
- Extremely common: 40-60% of APIs have BOLA vulnerabilities
- High impact: Data exposure, unauthorized access, privacy violations
- Easy to find: Automated testing catches many cases
- High bounties: Medium to High severity ($500-5,000 typical range)
💰 Bounty Tip: LinkedIn paid out for both of these bugs (upvotes on HackerOne: 36 and 29). That's likely $1,000-3,000 per bug. Finding similar patterns on other platforms = reliable income.
How to Test for BOLA/IDOR in APIs
Step 1: Map API Endpoints
Use Burp Suite Professional to intercept all API calls as you use the application:
- Enable proxy interception
- Browse the application normally (create posts, comments, profiles)
- Note all API endpoints that return or modify data
- Pay attention to GraphQL endpoints (often single endpoint: /graphql)
Step 2: Identify Object References
Look for patterns like:
- IDs: /api/posts/12345, /api/users/67890
- UUIDs: /api/comments/a1b2c3d4-e5f6-...
- Usernames/emails: /api/profile/john.doe
- GraphQL queries: { post(id: "12345") { content } }
Step 3: Test Authorization
The core BOLA test: Can User A access User B's data?
Setup:
- Create two test accounts (User A and User B)
- Use User A to create content (post, profile, comment)
- Use User B to try accessing User A's content
Test scenarios:
- Replace User A's ID with User B's ID in API calls
- Access endpoints as unauthenticated user (remove auth token)
- Access admin endpoints as regular user
- Access premium features without subscription
- Modify other users' data (update/delete operations)
Step 4: GraphQL-Specific Testing
LinkedIn's premium feature bypass was in GraphQL. Test these:
- Query for restricted fields: { user { premiumFeature } }
- Bypass frontend filters: Query API directly (skip UI)
- Batch queries: Request multiple objects in one query
- Introspection: Discover hidden fields via __schema query
Essential Tools for BOLA/IDOR Testing
1. Burp Suite Professional - $449/year
The gold standard. Features you need:
- Intruder: Automated ID enumeration (swap IDs, test thousands)
- Repeater: Modify and replay requests
- Comparer: Diff responses to spot authorization differences
- Collaborator: Detect blind SSRF in API calls
2. Postman - Free (Premium $49/year)
Excellent for GraphQL and REST API testing:
- Save API collections (reusable test suites)
- Environment variables (easily swap user IDs)
- Automated tests (assert expected vs actual responses)
- GraphQL introspection queries built-in
Pro tip: Create a "BOLA Test" collection with ID permutations pre-configured.
3. Autorize (Burp Extension) - Free
Automates BOLA detection:
- Configure User A and User B credentials
- Browse as User A
- Autorize automatically replays requests as User B
- Flags responses that should have been blocked
Massive time saver for large APIs with hundreds of endpoints.
Real-World Bug Hunting Tips
Where to Look
High-value BOLA targets:
- Social networks (posts, profiles, messages)
- SaaS platforms (workspaces, projects, teams)
- E-commerce (orders, payment methods, addresses)
- Financial apps (accounts, transactions, portfolios)
- Healthcare (medical records, patient data)
What Pays Well
BOLA severity ratings:
- Low ($100-500): Read access to non-sensitive data (public profiles)
- Medium ($500-2,000): Read access to private data (LinkedIn case #1)
- High ($2,000-10,000): Write access (modify/delete), premium features (LinkedIn case #2)
- Critical ($10,000+): Admin access, financial data modification
Common Mistakes to Avoid
- Testing production with real users: Only test with your own test accounts
- Brute-forcing IDs: Programs often ban for this - manual testing first
- Missing the obvious: Sometimes it's as simple as changing ?user=A to ?user=B
- Only testing GET requests: POST/PUT/DELETE often have weaker authorization
⚠️ Legal Warning: Only test applications that have authorized bug bounty programs (HackerOne, Bugcrowd, etc.) or systems you own. Unauthorized testing is illegal.
Level Up Your BOLA Hunting
Want to master API security testing? These resources will take you from beginner to finding $1,000+ bugs:
📚 The Web Application Hacker's Handbook - $45
Chapter 8 covers access control in depth. The patterns described here are timeless - LinkedIn's bugs fit these exact patterns from the book.
📚 Black Hat Python - $35
Learn to build custom BOLA testing tools. Automate ID enumeration, response diffing, and authorization bypass detection.
🔐 YubiKey 5 NFC - $55
Secure your bug bounty accounts. As a security researcher, you're a target. Hardware 2FA is non-negotiable.
Frequently Asked Questions
What is BOLA and why does it matter for bug bounties?
BOLA (Broken Object Level Authorization) is the #1 API security vulnerability. It occurs when APIs don't verify if the user has permission to access a specific resource. High-value bug because it's common (40%+ of APIs affected) and usually high-severity ($500-5,000 bounties typical).
How do I test for BOLA vulnerabilities?
Create two accounts (User A and User B). Have User A create a resource (post, document, profile). Capture the API request. Change to User B's session token but keep User A's resource ID. If User B can access User A's resource → BOLA vulnerability. Test every API endpoint that takes an ID parameter.
What tools do I need for BOLA/IDOR testing?
Burp Suite Professional is essential - use Autorize extension for automated BOLA testing. Postman for GraphQL testing. Create two browser profiles (Chrome + Firefox) to maintain separate sessions easily. Budget: $449/year for Burp Pro (pays for itself with one BOLA bounty).
How much do BOLA vulnerabilities typically pay?
Low severity (limited data exposure): $100-500. Medium (PII access): $500-2,000. High (financial data, account takeover): $2,000-10,000. Critical (mass data exposure): $10,000-50,000+. LinkedIn's HackerOne program average: $2,500-5,000 for BOLA/IDOR.
What's the difference between BOLA and IDOR?
Same vulnerability, different names. IDOR (Insecure Direct Object Reference) is the old OWASP term. BOLA (Broken Object Level Authorization) is the new API Security term. Modern bug bounty programs use BOLA terminology. Both mean: user can access resources they shouldn't.
Are GraphQL APIs more vulnerable to BOLA?
Yes. GraphQL's flexibility makes authorization complex - single endpoint serves multiple resource types. Developers often implement authorization at field level (harder to maintain). Plus GraphQL introspection exposes schema → attackers see all possible queries → easier to find missed authorization checks.
What should I do after finding a BOLA vulnerability?
Document: Which endpoint? What resource? What authorization bypass? Proof: Screenshots showing User A's data accessible by User B. Impact: How many users/resources affected? Remediation: Suggest adding authorization check. Report via bug bounty platform (HackerOne, Bugcrowd). Don't exploit beyond PoC.
Can I test LinkedIn for BOLA vulnerabilities?
Yes - LinkedIn has active bug bounty on HackerOne (scope: *.linkedin.com). But: competition is fierce (thousands of researchers), many endpoints already tested. Better ROI: Test smaller programs with newer APIs, GraphQL implementations, or recently launched features (less testing coverage).
Key Takeaways
- BOLA is everywhere: 40-60% of APIs have these vulnerabilities
- Test systematically: Map endpoints → Identify objects → Test authorization
- GraphQL is different: Hidden fields, batch queries, introspection
- High ROI: $500-5,000 typical bounty range, relatively easy to find
- Learn the patterns: LinkedIn's bugs aren't unique - they're textbook BOLA
Next steps:
- Pick a bug bounty program with an API (HackerOne, Bugcrowd)
- Map all API endpoints with Burp Suite
- Create two test accounts
- Test every endpoint for BOLA (can User B access User A's data?)
- Submit your first report!
Remember: Every successful bug hunter started by finding their first BOLA vulnerability. LinkedIn paid out for these exact patterns. You can find them too. 🎯