If a website uses a number in its web address to show different user's accounts, what simple change to that number lets you see someone else's account?

The simple change is altering the number in the web address to a different one. This action exploits a common security flaw known as an Insecure Direct Object Reference, or IDOR. An Insecure Direct Object Reference happens when a web application allows a user to directly access a resource, such as a user account or specific data, by modifying an identifier in the web address without performing adequate authorization checks. In this scenario, the number in the web address functions as a direct identifier for a specific user's account. For example, if a user's account is accessed via a URL like `www.example.com/profile?id=123`, an attacker might change `123` to `124` to attempt to view a different user's account. If the website's server-side logic does not properly verify that the currently logged-in user is authorized to view the account associated with the modified identifier, then the system incorrectly grants access, thereby exposing another user's information. The vulnerability fundamentally arises from the application's failure to implement robust access controls that restrict what data a user is permitted to see based on their authenticated identity and privileges.