Broken Access Control : IDOR

[Nvz0x]

The application allows unauthorized access to data of other objects.

A valid user can interact with other user's information as the application is not checking the authorization of the use

PoC:

https://example.com/{USERNAME}/notifications

A valid user can view other users' notifications

• For example logged in with : nvz account

• nvz Notifications

• As a result can view another user notifications

[Adamanthus]

2 months later and no reply, I think I will hold off on purchasing this.