A tool to check if users can see someone else’s data

Many apps check whether a person is in, but miss the second check: whether the requested data actually belongs to that person. If that check is missing, a -in user may change one number or ID in a request and receive another customer’s record. The problem can stay hidden during demos and normal because everyone usually opens only their own data.

This is a common API flaw that can lead to real data leaks. The new beta tool checks a live app for this specific issue. It shows the exact request, explains the risk in plain language, and gives a one-line fix.

It uses only , so it can prove the issue without touching real customer data. For now, it focuses only on the family of flaws where people can reach data they do not own.

Key points

  • A login check alone does not prove the requested data belongs to that user.
  • Changing one number or ID in a request can expose another person’s record if checks are missing.
  • The tool checks a live app for this specific access problem.
  • It uses instead of real customer data.
  • It ly focuses on one issue, not every kind of risk.
Read original