Black & White Path
Jun 22, 2026 · Information Security
How an Overlooked Request Header Exposed All My Transaction Records
The author discovered a silent IDOR vulnerability in a financial system where the X-Account-Id request header was trusted by the backend, allowing any user ID to retrieve full transaction, rewards, and billing data without authentication, and reported it responsibly for a rapid fix and reward.
IDORfinancial APIrequest header
0 likes · 7 min read
