IDOR vulnerability leads to Deleting message after leaving/getting banned from group using message ID

Steps: First send a message to the channel and capture its request: {F2424019} Endpoint: /api/v1/method.call/sendMessage CZZqd6rMsiqbsqa9h is the message ID that will be used later to delete the message to this ID. Leave the channel. Now, don’t join the channel again, just try to see options available that you can do to your message, you will see that you can’t delete this message after leaving or getting kicked from the channel. But this can be bypassed through the DeleteMessage API call. Try to delete your message in some other channel and capture its request as shown in the screenshot below: {F2424023} Endpoint: /api/v1/method.call/deleteMessage Now, change the id to CZZqd6rMsiqbsqa9h and forward the updated request. {F2424024} It successfully deleted the message. {F2424026} {F2424027} ## Impact The impact is that a user can still delete the messages after getting banned/muted from the channel and leaving no evidence of his/her violations. This must be strictly restricted.