Last month, I found an IDOR (Insecure Direct Object Reference) vulnerability in a popular dating app that allowed me to view every user’s private messages, photos, and location data — just by changing a number in the URL. The company paid me $8,000 for this critical find. Today, I’ll show you exactly how I did it, step-by-step, with real examples you can test yourself.

free link

What is IDOR? (In Plain English)

IDOR happens when an app lets you access data you shouldn’t by modifying a parameter (like a user ID, invoice number, or document ID).

Real-World Analogy:

Imagine a hotel where your room key (e.g., Room 305) also works for Room 306, 307, 308… if you just try different numbers. That’s IDOR.

Step 1: Find an API Endpoint That Uses IDs

• While using the app, I intercepted requests with Burp Suite and noticed:

GET /api/user/profile?id=12345  

• My profile ID was 12345, but what if I changed it?

Step 2: Test for Access…