IDOR Exposed: How a Simple ID Can Leak Millions of Records

An Insecure Direct Object Reference (IDOR) is an access control vulnerability that can expose private user data.
This typically occurs when builders fail to implement proper checks for users accessing internal references, such as user IDs, and assume that they will only request data relating to themselves.
However, attackers can view, modify or delete sensitive records simply by manipulating a URL or request parameter.
An example of this would be if a user were to browse a site and see a URL resembling https://api.example.com/api/user/139349, and decide to change the number to 139350.
If the application then returns information belonging to a different user, it has suffered an IDOR attack.
These bugs can be tested for using real examples and tools, however, it should be noted that all testing should be conducted on platforms that the user has ownership of or through approved bug bounty programs.

Fast Feed