## GitHub Security Alert: High-Severity IDOR Exposes All User Accounts to Unauthorized Access
A critical security vulnerability has been exposed in a codebase, allowing any authenticated user to access, modify, or delete the bank accounts of any other user. The flaw is a classic Insecure Direct Object Reference (IDOR) vulnerability, classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The exposure stems from a missing ownership verification check in a core API endpoint, creating a direct path for unauthorized data access.

The vulnerability resides in the `GET /api/accounts/:id` endpoint within the `src/api/accounts.js` file. The code retrieves an account based on a user-supplied ID parameter but fails to validate that the requested account belongs to the currently authenticated user. This omission means an attacker can simply guess or enumerate account IDs to gain full control over other users' financial data. The same pattern likely affects related update and delete endpoints, amplifying the risk.

The impact is severe, posing a direct threat to data integrity and user privacy. The recommended remediation is straightforward but critical: implement an ownership verification check, such as `if (account.userId !== req.user.id) return res.status(403)...`, across all account-related endpoints. This incident serves as a stark warning about the necessity of robust authorization logic in financial applications, where a single missing line of code can compromise an entire user base.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: Security Vulnerability, IDOR, Authorization Bypass, Code Security, Data Privacy
- **Credibility**: unverified
- **Published**: 2026-04-03 20:27:07
- **ID**: 49477
- **URL**: https://whisperx.ai/en/intel/49477