Starbucks: Bug in GraphQL and API integration leads to limited user address disclosure

ID H1:473742
Type hackerone
Reporter loxiran
Modified 2019-03-08T14:03:53


A modified GraphQL query to fetch a user's address book entries led to a limited disclosure of user address book entries. The modified query resulted in a backend API request with undefined as a parameter. The response contained address lists of accounts with a username of undefined. We were not able to identify any horizontal privilege escalation vulnerabilities as a result of this report, however, the issue was triaged and resolved as a High severity finding.

Many thanks to @loxiran for reporting this issue.