How an Overlooked Request Header Exposed All My Transaction Records
The author discovered a silent IDOR vulnerability in a financial system where the X-Account-Id request header was trusted by the backend, allowing any user ID to retrieve full transaction, rewards, and billing data without authentication, and reported it responsibly for a rapid fix and reward.
