Hi Researchers this is my 4rd Blog.

During one of my bug bounty sessions, I came across a Horizontal Privilege Escalation vulnerability in a web application.
This bug allowed me to access another user’s account and even reset their password — without their permission.
In this post, I’ll walk you through how I approached the target, the steps I took, and how I finally exploited the bug.

Horizontal privilege escalation occurs when an attacker gains access to another user’s data or actions without having elevated privileges.
Unlike vertical privilege escalation (user → admin), horizontal escalation stays within the same permission level but jumps between accounts.

Example:

• User A can access User B’s account by manipulating parameters like User ID.
• The attacker does not become an admin but still compromises sensitive data.

Reconnaissance Phase

Before I found the bug, I performed my usual recon routine:

1. Account Setup
   I created two separate accounts on the target platform — let’s call them Account A and Account B.
2. Browser Isolation
   To simulate real users, I opened both accounts in different browsers:

• Account A → Firefox
• Account B → Firefox Incognito

1. Exploring the Application
   I browsed through the “My Account” and “Users” sections for both accounts, noting every feature and action available.

Identifying the Vulnerability

While exploring Account A, I navigated to:
My Account → Users → Settings for a specific user.

I noticed that the URL or request contained a GUID (a unique User ID).
This looked something like:

/user/settings?id=23f9a9b1-xxxx-xxxx-xxxx-xxxxxxxxxxx

At this point, I suspected that if I replaced this GUID with another user’s ID, I might be able to access their data.