Any logged-in user can read any other customer’s orders (IDOR)
Order history API · /api/orders/{id}
The order endpoint returns an order purely from the ID in the URL, without checking the order belongs to the logged-in user. Incrementing the ID returned other customers’ orders — names, addresses, phone numbers and items.
A single logged-in customer could scrape every order in the store: a mass personal-data breach and a direct GDPR/privacy incident. No special tools needed — just changing a number in the address bar.
GET /api/orders/10432 → 200 OK (belongs to a different account)
{ "customer": "REDACTED", "email": "r•••••@•••••.com", "address": "REDACTED" }Enforce an ownership check server-side: the order’s customer_id must equal the authenticated session’s user id. Return 404 (not 403) for orders that aren’t theirs so IDs can’t be enumerated.