A security researcher discovered an IDOR vulnerability in an e-commerce platform where unauthorized access to user account data (name, address, credit card details) could be achieved by exploiting misconfigured CORS that exposed random checkout hashes to third-party integrations, allowing attackers to enumerate and access arbitrary user wallets via predictable endpoints.
An IDOR vulnerability in an e-commerce application's address management API allowed exposure of other users' sensitive information (names, addresses, phone numbers) through a POST request to set default address endpoint that returned 200 with empty body but still processed sequential address IDs. The vulnerability was discovered when the payment page displayed a different user's address data.