However, if you increment the number in the URL by one you will find another person's character, Hannibal, a level 4 Goliath Blood Hunter.
This indicates that is possible to brute force every character sheet within the application in order to view character sheets that do not belong to you and are otherwise not searchable.
Just as the title implies, there is an insecure direct object reference vulnerability affecting character sheets.
For example, if you go to the following URL, https://www.dndbeyond.com/characters/98787957, you will find my character, Safir.
However, if you increment the number in the URL by one you will find another person's character, Hannibal, a level 4 Goliath Blood Hunter.
This indicates that is possible to brute force every character sheet within the application in order to view character sheets that do not belong to you and are otherwise not searchable.
Sure, they CAN be viewable by anyone, but they should not be. This is a privacy issue.
Character sheets should only be shareable via the person who shared them and not methodically iterated through by some random ******* like myself.
You can easily fix this by implementing cryptographically strong random values for your character sheet identifiers.