Tag: bfla

All the articles with the tag "bfla".

• Broken Function Level Authorization: Hijacking the Live Stream

  kOaDT

  18 Jun, 2026

  OopsSec Live hides the broadcast controls from non-admins in the UI, but the API never checks your role. Any logged-in customer can replace the live stream, exactly like the 2026 FIFA internal-systems hack.