CriticalE-commerce platform · US
IDOR exposing every customer's order data
A single authenticated user could request any other user's order ID and receive the full order — PII, shipping address and payment metadata.
Impact
- Full PII exposure across user base
- Regulatory exposure (GDPR / CCPA)
- Trivial to exploit — no chained flaw needed