July 9, 2026
How I Found My First Critical Bug (An IDOR Story)
Hey everyone! Nitin here ๐

By Nitin yadav
1 min read
Everybody remembers their first critical. Mine wasn't some genius exploit โ it was me being stubborn and changing a number. Let me tell you the whole story, because I think it'll show you that your first big bug is closer than you think.
The Setup
I was hunting on a mid-size e-commerce program. Public program, big scope, lots of hunters already on it. Classic "everything's already been found" vibe. I almost skipped it.
I made an account, bought nothing, just poked around. Went to my order history. Clicked an order. The URL looked like this:
/api/orders/48213/invoice
And my brain did that little thing it does now: "I wonder what 48212 looks like."
The Moment
I fired up Burp, sent the request to Repeater, changed 48213 to 48212, hit send.
And I got back someone else's invoice. Full name. Shipping address. Items ordered. Last 4 of their card. Email.
My heart actually skipped. I changed it to 48211. Another person. 48210. Another. It just... kept working. No permission check at all. Classic IDOR.
Making It Count
Here's the part beginners skip. I didn't just scream "IDOR!" and submit. I made it clean:
- Created a SECOND account, placed a real order, noted its ID
- From my FIRST account, pulled that second account's invoice โ proving cross-user access with accounts I controlled (no touching random strangers' data more than needed)
- Screenshotted the two-account proof
- Wrote the impact clearly: "Any user can retrieve any other user's invoice โ name, address, partial card, email โ by changing a sequential ID. Affects the entire customer base."
Triaged as high. Paid. My first real bounty. I stared at the email for like an hour. ๐
What This Taught Me
- Crowded programs still have bugs. Everyone assumed the boring order endpoint was tested. It wasn't.
- The two-account proof is everything. It turns "I think there's a bug" into "here's undeniable cross-user access."
- Curiosity beats skill early on. I didn't know much. I just changed the number.