While testing export functionality on a crypto trading platform, I discovered that users' spot and futures order history CSV files were hosted on a public static domain and could be accessed without authentication.
The export URLs followed a predictable structure and contained numeric user IDs, making them trivial to enumerate. By changing the ID in the path, anyone could download another user's complete trading history — no login, no token, no session required.
Example pattern (redacted):
https://static.example.com/order/{type}/export/file/{YYYYMM}/{USER_ID}/Order_history_{DATE_RANGE}.csvEach CSV file contained highly sensitive financial data such as trading pairs, leverage, order timestamps, filled quantities, fees, and profit/loss values. This effectively exposed users' full trading strategies and risk profiles.
Because the URLs were fully public and predictable, the issue could be exploited at scale, potentially allowing mass harvesting of millions of users' trading histories. Some of these files were also indexed by search engines, increasing discoverability.
The issue was reported responsibly, validated, and eventually fixed by the platform.
This case highlights how a simple IDOR combined with public file hosting can turn routine export functionality into a severe privacy and security risk — especially for financial and crypto platforms.
Bug Severity & User ID Enumeration
A key factor in the impact of this issue was user ID enumeration. The platform used purely numeric user IDs in the export paths, which were easy to predict and sequential. In the report, I demonstrated multiple active records and showed that changing only the numeric ID reliably returned valid trading history files for different users.
The ability to enumerate a large number of real user records and access sensitive financial data without authentication, the issue was ultimately classified as P3 severity. The submission was validated, fixed, and awarded a $1,000 bounty.
