alt Hacker NewsOr someone found server.domain/path/subdirectory/resourceX and was like "shit, I was hoping to find resourceY but I can't find a link to it, I wonder if I just click in my address bar and change the X to a Y", and voila, resourceY is right there.
To some of us, this is elementary navigation. Like going up the stairs if the elevator is out. Often it's faster than waiting for the damn elevator, too.
To others, it's cybarrrr-criiiimeeee!!!!!!11111one
Replies
It has a name in the security industry, Insecure Direct Object Reference (IDOR) [1]. Somewhat related to Path Traversal [2]. Unfortunately CFAA is very broad and can be (mis)interpreted in wild ways.
[1] https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Dire... [2] https://owasp.org/www-community/attacks/Path_Traversal
Continental Airlines had an active frequent flyer community. A student emerged as a legendary figure (think "Hunger Games") after she noticed that Continental announcement URLs were numbered sequentially, and a not-yet-released announcement rather unfavorable to current elites was there for anyone to read. Quite the brew-ha-ha. Continental retreated.
She was nevertheless welcome at a frequent flyer event hosted by Continental in Houston, where she beat me at poker.
People have already been imprisoned for this, one case I can think of off the top of my head is https://en.wikipedia.org/wiki/Goatse_Security#AT&T/iPad_emai....