Broken Object Level Authorisation

Doesn’t check who owns the object. E.g. accessing other user’s data like profiles, messages etc.