Timeline
June 28, 2022: A security researcher submits a report detailing a critical GraphQL vulnerability.
June 29, 2022: The issue is reviewed, and further information is requested.
July 1, 2022: The vulnerability is validated and escalated for internal review.
July 5, 2022: Severity increased to critical (9.3/10) due to the exposure of private report titles.
July 5, 2022: Researcher is awarded $25,000 for responsibly reporting the issue.
January 21, 2025: The report is publicly disclosed after complete mitigation.
Introduction: A Critical IDOR in GraphQL
Insecure Direct Object References (IDOR) remain one of the most commonly exploited vulnerabilities, often allowing unauthorized access to sensitive data.
In a recent high-severity bug bounty case, a researcher discovered a GraphQL endpoint misconfiguration that allowed unauthenticated users to enumerate object IDs and extract private bug bounty program details.
🔴 What was exposed?
✅ Private program names
✅ Scope details of security assets
✅ Titles of private reports
This vulnerability led to a $25,000 bounty payout. Let’s break down how the attack worked and how organizations can prevent such GraphQL-based IDOR vulnerabilities.
cyberw1ng.Medium
Read the Complete Article on Medium
Top comments (0)