How an IDOR Vulnerability Led to User Profile Modification

This report describes an IDOR (Insecure Direct Object Reference) vulnerability discovered on mtnmobad.mtnbusiness.com.ng that allowed an authenticated attacker to enumerate account identifiers and update arbitrary account details (including mobile numbers and emails) by modifying the payload sent to the /app/updateUser endpoint; the finding was rated Critical and the report includes reproduction steps, server responses, and recommended mitigations (authorization checks, non-guessable resource identifiers, and rate limiting).