"Permitting viewing or editing someone else's account, by providing its unique identifier (insecure direct object references)"
What vibe coding promoters don't understand is that the average web developer hasn't learned web security 101. Proof: HN commenter points out that "A01:2021 – Broken Access Control" is completely normal in production code.
Not justifying it, but many applications consider the uniqueness of the URL enough protection to prevent discovery.
> Is this just bad development? Are these just things could be missed by any developer or team?
It's not knowing them. And when you vibe-code something, and don't prompt for it, it's not gonna do it.