Insecure Direct Object Reference (IDOR) is a common security vulnerability where attackers manipulate references to access unauthorized data, often occurring when internal implementation objects like files or database keys are exposed without proper access control. Highlighted in the OWASP Top 10 list, IDOR's prevalence is evidenced by public bug bounty reports and notable incidents such as the 2010 AT&T data breach, which exposed iPad users' email addresses and ICC-IDs. The vulnerability's impact varies depending on the data accessed, ranging from trivial information to sensitive details like bank statements. Exploitability is high due to the ease of manipulating references, though discovering such vulnerabilities can be facilitated through code analysis and automated tools like Detectify, which tests websites for over 700 security issues, including those in the OWASP Top 10. Mitigation involves implementing robust access controls and using less predictable references to reduce the risk of enumeration and unauthorized access.