IDOR : can i see that?

IDOR or Insecure Direct Object Reference. let me explain this with an example there is an website that has a functionality to send and retrieve messages. So, i can access my messages using https://message.com/messages/uid134&uid453/ now this query returns all chat messages between uid134 and uid453 now what if you change url like https://message.com/messages/uid112&uid453/ Now this query will return all chat messages between uid112 and uid453 that you don’t have access to.

Checklist for Hunting IDOR

1. Does it work if you completely remove a cookie
2. Does it work if you replace first cookie with second cookie
3. Does it work if you replace a cookie with one from another user with a different privilege level
4. Can we access without logged in?