Actually it's okay. Cause it shouldn't be the determinant for security on your web app.
I once edited the link of a DM with someone on Twitter through the browser's address bar. I saw the ID of the DM and tried incrementing it, which worked!
But I've never heard of Twitter being hacked in any way.
Data on your service should have permission restrictions based on authenticated users. It's called authorization!