Update 0xa3-excessive-data-exposure.md

Author: inonshk

2019/en/src/0xa3-excessive-data-exposure.md

@@ -23,6 +23,16 @@ comment’s author, is also returned. The endpoint implementation uses a generic
 `toJSON()` method on the `User` model, which contains PII, to serialize the
 object.
 
+### Scenario #2
+
+An IOT-based surveillance system allows administrators to create users with different permissions.
+An admin created a user for a new security guard that should have access only to specific buildings in the site.
+Once the security guard uses his IPAD, an API call is triggered to:
+"/api/sites/111/cameras" in order to receive data about the available cameras and show them on the dashboard.
+The response contains a list with details cameras in the following format:
+{"id":"xxx","live_access_token":"xxxx-bbbbb","building_id":"yyy"}
+While the client GUI shows only cameras the security guard should have access to, the actual API response contains a full list of all the cameras in the site.
+
 ## How To Prevent
 
 * Never rely on the client side to perform sensitive data filtering.