First American Financial Corporation
And the Second American, and the Third......
I'm betting this was a REST application, or possibly one of the shonky server side Javascript frameworks, and their application "architecture" was based on a simple "Getting Started : How to Easily Create an Application in Five Minutes" example, which just passes ids in URLs rather than actually implementing things in a secure way. Seen a number of similarly stupid examples myself in the past decade - my favourite response when I raised the issue with a "senior developer" was being told that it didn't matter that the id was in the URL, because requests were encrypted using https, so nobody could see them! Doh!
Biting the hand that feeds IT
