Can people change the user ID in a URL to log in as another user on my app?
If you built with Lovable, Bolt, or Cursor without explicit authorization checks, probably yes. It's called IDOR and it's the second most common vibe-coded-app bug. Test it yourself: log in, copy a URL with your user ID, change the ID, hit enter. If it loads another user's page, you have the bug.
This bug is called IDOR (Insecure Direct Object Reference) or BOLA (Broken Object-Level Authorization). AI coding tools are particularly prone to it because they generate the happy path — 'fetch this user' — without the authorization check — 'only if it's YOUR user'.
**How to test it in 30 seconds:** 1. Log in to your own app as User A. 2. Go to a page like `/account` or `/orders/123`. 3. Copy the URL. 4. In the URL, change `123` to `124`. 5. If page loads with someone else's data, you have the bug.
**How to fix it.** Every API route that fetches user data needs a check like: ```ts if (order.user_id !== session.user.id) { return Response.json({ error: 'not yours' }, { status: 403 }); } ``` For Supabase specifically, the cleaner fix is RLS on the underlying table — Postgres will refuse to return the row at all if the policy fails.
Securie's scan (launching this year) will test every API route in your app by logging in as two synthetic users and trying to swap IDs between them. Join the list and we'll run it on your app in week 1, with a plain-English report of which routes leak plus the fix.