IDOR in AI APIs is the finding I keep seeing on assessments because security teams test the LLM and forget the API layer underneath it. The same broken object level authorization that affects every other API affects the endpoints that wrap your LLM too. Change the user_id parameter in the API request. Access another user's conversation history. Grab their fine-tuned model preferences. Pull their uploaded documents. The LLM didn't do anything wrong — the API layer handed you someone else's…
No comments:
Post a Comment