All news with #broken object level authorization tag

🔒 Microsoft Defender Security Research Team discovered a critical intent redirection vulnerability in the third‑party EngageSDK that allowed co‑installed apps to abuse a merged, exported activity and act with the victim app's identity and permissions. The flaw, present in a post‑build merged manifest entry (MTCommonActivity) and tied to parseUri(URI_ALLOW_UNSAFE) and grant flags, could yield persistent read/write access to content providers. Microsoft coordinated with EngageLab and the Android Security Team; EngageLab released EngageSDK v5.2.1 on 2025‑11‑03 to set the activity non‑exported, affected apps were removed from Google Play, and Android platform protections were updated. Developers should upgrade and inspect merged manifests for unexpected exported components.

🔒 HackerOne is notifying employees that their personal data was exposed after a compromise of benefits administrator Navia. The company reported a Broken Object Level Authorization (BOLA) vulnerability allowed an unknown actor to access Navia records between December 22, 2025 and January 15, 2026, affecting 287 employees. Exposed fields include Social Security numbers, names, contact details, dates of birth, and plan enrollment information. HackerOne advised monitoring accounts, changing passwords tied to exposed data, and using the 12‑month identity protection and credit monitoring Navia is offering.