User ID controlled by request parameter, with unpredictable user IDs

This lab has a horizontal privilege escalation vulnerability on the user account page, but identifies users with GUIDs.

Upon logging in as "wiener," I noticed that my account was associated with a GUID in the URL:

https://***.web-security-academy.net/my-account?id=4e5a7f7c-7bac-4278-a3d4-1bfe75f53e4a

To access "carlos" account, I needed his GUID. After a thorough search, I stumbled upon a blog written by him at:

https://****.web-security-academy.net/blogs?userId=55489696-7fe5-4ff3-8457-23e4f6d1c601

By substituting my ID with his in the URL, I successfully accessed "carlos" account and could proceed to submit the API key, ultimately solving the lab.