Comment by Daviey
6 days ago
Perhaps I misunderstood, but I read it that the account they got access to was a highly privileged account, which did have general access to all data.
The report didn't make it clear to me if an unauthorised user, or an account with low privilege can still access data they otherwise should not have access to.
If this is true, then I agree it is an IDOR, but I read it as they had access because of their current context.
> It turned out we had become the administrator of a test restaurant inside the McHire system.
I don’t think you would expect the administrator of a single restaurant to have access to the data of all 64M applicants globally