The end-user is unlikely to know which part of the context is relevant, and it may also change from moment to moment depending on who is speaking to whom. Of course you could imagine an AI interpreter that has cameras for situational awareness and asks for clarification if anything important is unclear while smoothing over minor stuff without interrupting, but you could equally easily imagine an AGI, so it's not clear that this could be built to a reasonable quality standard with current technology.
Who says it was? Why would they willingly give out their customers' and customers' customers data to any anonymous person or a bot?
More likely a bad oversight
This is “the tire shop doesn't have a torque wrench” level shit. If it's an oversight, it's an oversight due to incompetency, not because a good team just happened to miss something in a crunch. Another possibility is that the issue was raised and management said to fix it later, and because software “engineering” isn't a real engineering field that holds its practitioners to any duty of care, those responsible (the engineers) just went along with it.
For 3 years? That would mean that no developer has ever raised these issues with management, to speak nothing of an actual pentest being conducted.
No, this is not some obscure security hole they forgot about. This is plain incompetence and/or deliberate design decisions.
I agree that full public disclosure like this is irresponsible, but exposing issues like this to the public is the only way for such companies to make a change or, preferably, lose business and shutdown.
Because they don't care, and their customers don't understand any of this shit?
It feels like the usual case of vendors buying service to better exploit the users, and themselves getting burned and/or exploited by that service too.
Yes! You as a user are not meant to knowingly access data that does not belong to you. Even something like changing the id from 1 to 2 is legally considered unauthorised access.
It would be different if for example the application was showing data for other customers through normal use of it, but even if there is no other barrier to access than changing an id that is considered bypassing access control and can result in jail time in most places. Now I'm not an expert in India's computer misuse laws but I am willing to wager they are not the most progressive when it comes to this kind of thing.
Even before 2012 people were saying it was either 2012 or 2021 and we're not sure which. The reasoning was basically that some years are missing from the calendar.
The real reason is that if you make several million phones that a certain percentage is always going to explode, either by manufacturing defect or a user pierces the cell through accident. This might mean the difference between some light leg burns or your death and phone makers are not going to take the negative press of the latter scenario. Their only answer is better power usage.
