S3: When Good Features Create Bad Security

Not all security issues come from bad code.Many come from good features.

Kavita Mittal

~2 min read · April 23, 2026 (Updated: April 23, 2026) · Free: Yes

Features designed for:

Better user experience
Faster access
Easy integrations
Flexible data sharing

Individually, these sound like smart product decisions.

But when combined without security thinking, they quietly open doors that were never meant to exist.This is where three common design patterns meet: authorization gaps, UX convenience, and overexposed APIs.And most teams don't realize they are connected.

The authorization assumption

A user is logged in.So the system allows them to:

View data
Download reports
Access records
Perform actions

Because the system checks:

"Is the user authenticated?"

But forgets to ask "Is this user allowed to access this specific data?"

This is how users end up seeing things that don't belong to them – simply by changing an ID, a parameter, or a link.

The feature works.

The boundary was never clearly defined.

The UX decision

To make life easier for users, teams design flows like:

Direct links to resources
Fewer confirmation steps
Predictable URLs
Auto-filled details
Quick navigation without repeated checks

This improves experience.But it also makes the system predictable.And predictable systems are easy to explore in unintended ways.A user doesn't need hacking skills. They just need curiosity.

The API exposure nobody noticed

Behind every feature is an API sending and receiving data. During development, APIs are often designed to send:

"All the data the UI might need."

Because it's easier. Flexible. Future-proof.

But this means:

Extra fields are exposed
Hidden data travels in responses
Internal identifiers become visible
Relationships between data become guessable

The UI may show only 5 fields. The API might be sending 25. And anyone observing the request can see it.

How these three combine into real risk

Individually, each decision seems harmless:

"User is logged in" → allow access
"Make it easy" → simplify flow
"Send complete data" → flexible API

But together, they create a situation where:

A logged-in user, using a simple and predictable flow, can access far more information than intended – because the API never restricted it, the UX never questioned it, and authorization never defined strict boundaries.

No bugs.

No crashes.

Just a design that trusts too much.

Why teams don't see this during development

Because each team sees only their part:

Product sees user convenience
Developers see working logic
Testers see successful scenarios
Security sees the full picture – but only later. By then, the feature is already live.

The design question that prevents this

During feature design, ask:

Exactly what data should this user see – nothing more?

Are we depending only on login status?
Is the API sending more data than required?
Are we making the system too predictable for the sake of UX?

These questions don't slow development. They prevent silent exposure.

#application-security #web-application-security #application-security-test #application-api-security #cyber-security-awareness

< Go to the original