How Bad Authorization Design Put 200,000+ Students at Risk

How I discovered a chain of IDORs in a public education platform used by every FP student in Catalonia, chained them into a full account takeover, and reported it responsibly.