Query Gone Wild: How I Turned a Forgotten GraphQL Endpoint into Full Account Access

A hacker known as iski describes how they discovered a forgotten GraphQL endpoint which eventually led to them gaining full account access after discovering multiple severe vulnerabilities.
They explain how after starting with a mass reconnaissance process, they found a hidden endpoint which they realised wasn’t properly locked down, allowing them to experiment and see what vulnerabilities existed.
They found a way to increment an integer ID value to bypass authentication, allowing them to make requests on behalf of other users, escalating the vulnerability to full account access.
Finally, they realised they could alter their user ID to those of existing users, and were then able to successfully get the original organization ID for all users, giving them full access, alongside additional personal information.
The full account access allowed them to see anything the user can see, write through the user, and even delete the user entirely.
The post explains this was a great lesson in not underestimating small, innocuous-looking endpoints, and that mass reconnaissance and stray asset hunting are essential skills for any bug bounty hunter.

Fast Feed