A tool to check if users can see someone else’s data
Many apps check whether a person is in, but miss the second check: whether the requested data actually belongs to that person. If that check is missing, a -in user may change one number or ID in a request and receive another customer’s record. The problem can stay hidden during demos and normal because everyone usually opens only their own data.
This is a common API flaw that can lead to real data leaks. The new beta tool checks a live app for this specific issue. It shows the exact request, explains the risk in plain language, and gives a one-line fix.
It uses only , so it can prove the issue without touching real customer data. For now, it focuses only on the family of flaws where people can reach data they do not own.
Key points
- A login check alone does not prove the requested data belongs to that user.
- Changing one number or ID in a request can expose another person’s record if checks are missing.
- The tool checks a live app for this specific access problem.
- It uses instead of real customer data.
- It ly focuses on one issue, not every kind of risk.