Recently, I found a simple but serious vulnerability on a website. It was an IDOR (Insecure Direct Object Reference) issue.
The site had a link like this:
https://example.com/api/v1/users/1234/photo
Now the problem was—if I changed the user ID in the URL, like from 1234 to 1235, I could see someone else’s profile photo 👀. No login needed, no permission required.
This kind of issue can leak user data, and if the platform is big, it becomes a privacy risk. I reported it, and the team fixed it by adding proper access checks.
Takeaway: Always check if your APIs are leaking data by just changing IDs. These small things can lead to big problems.