The way the code for box-models.get is written, the inbox ID can be either the md5 of the inbox number or the inbox number.
There's no salt on the md5, so anybody can guess those. And the inbox number itself is a serial number starting from 1, so there's no security at all on these numbers.
This needs to be rethough. Either add a salt and disable direct entry of account numbers, or only use direct entry of account numbers.
The way the code for box-models.get is written, the inbox ID can be either the md5 of the inbox number or the inbox number.
There's no salt on the md5, so anybody can guess those. And the inbox number itself is a serial number starting from 1, so there's no security at all on these numbers.
This needs to be rethough. Either add a salt and disable direct entry of account numbers, or only use direct entry of account numbers.