Bug bounties are are well and good, but a basic pen test would have picked that up. They aren’t that expensive and for a business trading in data that can get you killed in some parts of the world, should be mandatory.
It's not a bug. It is either a backdoor placed there from the design/implementation or super lazy programming. I don't want to think it's done on purpose (Hanlon's razor).
A full account takeover is a really shitty backdoor. Just make a separate "test" endpoint that's exactly the same as the main API but requires no authentication so anyone can read anything. Perfectly deniable as just a bug and entirely undetectable from a target's POV.
If that's an intentional backdoor it's a very weird backdoor. Wouldn't you at least obfuscate things a little bit? Simply mixing up the characters in that string in some pre-planned order would be enough.
While I doubt it's an intentional backdoor, I wouldn't assume that backdoors would be obfuscated. You can't deny knowledge of an obfuscated backdoor, while an obvious one could plausibly be a simple mistake.
Bug bounties are are well and good, but a basic pen test would have picked that up. They aren’t that expensive and for a business trading in data that can get you killed in some parts of the world, should be mandatory.