Security Director at ForgeRock.
Author: https://www.manning.com/books/api-security-in-action
Cryptography and application security. PhD in AI. Secret Prolog junkie.
If your external ids are unguessable (e.g., 256-bit random strings) then this attack completely disappears. Another alternative is to only expose /api/accounts/me if there is no valid reason for a user to ever access any other account.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Agreed, also don't use internal db ids in the api so the attacker cannot infer the sequencing
Yep.It's always good to use a random string or a different Identifier for any public resource.
If your external ids are unguessable (e.g., 256-bit random strings) then this attack completely disappears. Another alternative is to only expose
/api/accounts/meif there is no valid reason for a user to ever access any other account.