IDOR in API applications (able to see any API token, leads to account takeover)