I've seen this COUNTLESS of times with big and small companies.
It's my favorite thing to do when signing up for a new service. See if I can wiggle-waggle the account-statements.
Like I said, it's a really simple thing, and maybe most of HN readers are "above these sort of errors", but I see a few times a year, with just the services I use.
Also a good little tip(again might be preaching to the wrong crowd) is to use some form of non-deterministic ID-schemes for accounts,statements and of course user-ids.
UUID's are great for this, If for some reason you do have a gap in you system and your id's are deterministic, the bad-actor can just enumerate ALL accounts and users.
Sorry if I'm insulting the "average HN reader" with this "simple and obvious mistakes", but I like I said, I see this A LOT. YMMV
If you have invoices,accounts or statement pages/API's.
Please make sure ONLY the real user or admin can see the data.
Example:
I've seen this COUNTLESS of times with big and small companies. It's my favorite thing to do when signing up for a new service. See if I can wiggle-waggle the account-statements.Like I said, it's a really simple thing, and maybe most of HN readers are "above these sort of errors", but I see a few times a year, with just the services I use.
Also a good little tip(again might be preaching to the wrong crowd) is to use some form of non-deterministic ID-schemes for accounts,statements and of course user-ids.
UUID's are great for this, If for some reason you do have a gap in you system and your id's are deterministic, the bad-actor can just enumerate ALL accounts and users.
Sorry if I'm insulting the "average HN reader" with this "simple and obvious mistakes", but I like I said, I see this A LOT. YMMV