Security Director at ForgeRock.
Author: https://www.manning.com/books/api-security-in-action
Cryptography and application security. PhD in AI. Secret Prolog junkie.
If your external ids are unguessable (e.g., 256-bit random strings) then this attack completely disappears. Another alternative is to only expose /api/accounts/me if there is no valid reason for a user to ever access any other account.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
If your external ids are unguessable (e.g., 256-bit random strings) then this attack completely disappears. Another alternative is to only expose
/api/accounts/me
if there is no valid reason for a user to ever access any other account.