https://www.pentestpartners.com/security-blog/hacking-ski-helmet-audio/
Without authorisation, through insecure direct object references (IDOR) I could:
- Pull all the users and their email adresses
- View their phone number
- Extract users’ real-time GPS position
- Listen to real-time walkie-talkie chats